diff options
Diffstat (limited to 'BKUOnline/src/main')
50 files changed, 4436 insertions, 1235 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java deleted file mode 100644 index 5795478b..00000000 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java +++ /dev/null @@ -1,63 +0,0 @@ -/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.bku.online.accesscontroller;
-
-import java.io.IOException;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.context.ResourceLoaderAware;
-import org.springframework.core.io.Resource;
-import org.springframework.core.io.ResourceLoader;
-
-import at.gv.egiz.bku.accesscontroller.SecurityManagerFacade;
-import at.gv.egiz.bku.conf.Configurator;
-
-public class SpringSecurityManager extends SecurityManagerFacade implements
- ResourceLoaderAware {
-
- private ResourceLoader resourceLoader;
-
- private static Log log = LogFactory.getLog(SpringSecurityManager.class);
-
- protected Configurator config;
-
- public void setConfig(Configurator config) {
- this.config = config;
- }
-
- public void init() {
- String noMatch = config.getProperty("AccessController.acceptNoMatch");
- if (noMatch != null) {
- log.debug("Setting allow now match to: " + noMatch);
- setAllowUnmatched(Boolean.getBoolean(noMatch));
- }
- String policy = config.getProperty("AccessController.policyResource");
- log.info("Loading resource: " + policy);
- try {
- Resource res = resourceLoader.getResource(policy);
- init(res.getInputStream());
- } catch (IOException e) {
- log.error(e);
- }
- }
-
- @Override
- public void setResourceLoader(ResourceLoader loader) {
- this.resourceLoader = loader;
- }
-}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java deleted file mode 100644 index 6030c1c0..00000000 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java +++ /dev/null @@ -1,127 +0,0 @@ -/*
- * Copyright 2008 Federal Chancellery Austria and
- * Graz University of Technology
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package at.gv.egiz.bku.online.conf;
-
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.Properties;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.context.ResourceLoaderAware;
-import org.springframework.core.io.Resource;
-import org.springframework.core.io.ResourceLoader;
-
-import at.gv.egiz.bku.conf.Configurator;
-import at.gv.egiz.bku.online.webapp.SpringBKUServlet;
-import at.gv.egiz.bku.slexceptions.SLRuntimeException;
-import at.gv.egiz.stal.service.impl.RequestBrokerSTALFactory;
-
-public class SpringConfigurator extends Configurator implements
- ResourceLoaderAware {
-
- private final static Log log = LogFactory.getLog(SpringConfigurator.class);
-
- private ResourceLoader resourceLoader;
-
- public void setResource(Resource resource) {
- log.debug("Loading config from: " + resource);
- if (resource != null) {
- Properties props = new Properties();
- try {
- props.load(resource.getInputStream());
- super.setConfiguration(props);
- } catch (IOException e) {
- log.error("Cannot load config", e);
- }
- } else {
- log.warn("Cannot load properties, resource: " + resource);
- }
- }
-
- public void configureNetwork() {
- super.configureNetwork();
- String appletTimeout = getProperty("AppletTimeout");
- if ((appletTimeout != null)) {
- try {
- long ato = Long.parseLong(appletTimeout);
- log.debug("Setting applet timeout to:"+ato);
- RequestBrokerSTALFactory.setTimeout(ato);
- } catch (NumberFormatException nfe) {
- log.error("Cannot set Applettimeout", nfe);
- }
-
- }
- }
-
- public void configure() {
- super.configure();
- SpringBKUServlet.setConfigurator(this);
- }
-
- @Override
- public void setResourceLoader(ResourceLoader loader) {
- this.resourceLoader = loader;
- }
-
- private File getDirectory(String property) {
- if (property != null) {
- Resource certDirRes = resourceLoader.getResource(property);
- File certDir;
- try {
- certDir = certDirRes.getFile();
- } catch (IOException e) {
- log.error("Cannot get cert directory", e);
- throw new SLRuntimeException(e);
- }
- if (!certDir.isDirectory()) {
- log.error("Expecting directory as SSL.certDirectory parameter");
- throw new SLRuntimeException(
- "Expecting directory as SSL.certDirectory parameter");
- }
- return certDir;
- }
- return null;
-
- }
-
- @Override
- protected File getCADir() {
- String caDirectory = getProperty("SSL.caDirectory");
- return getDirectory(caDirectory);
- }
-
- @Override
- protected File getCertDir() {
- String certDirectory = getProperty("SSL.certDirectory");
- return getDirectory(certDirectory);
- }
-
- @Override
- protected InputStream getManifest() {
- Resource r = resourceLoader.getResource("META-INF/MANIFEST.MF");
- if (r != null) {
- try {
- return r.getInputStream();
- } catch (IOException e) {
- log.error("Cannot read manifest data:", e);
- }
- }
- return null;
- }
-}
\ No newline at end of file diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java new file mode 100644 index 00000000..27dfcd92 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java @@ -0,0 +1,49 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.online.spring; + +import javax.servlet.ServletContext; + +import org.springframework.beans.factory.FactoryBean; +import org.springframework.web.context.ServletContextAware; + +public class ServletContextPathFactoryBean implements FactoryBean, ServletContextAware { + + private String contextPath; + + @Override + public void setServletContext(ServletContext servletContext) { + contextPath = servletContext.getContextPath(); + } + + @Override + public Object getObject() throws Exception { + return contextPath; + } + + @Override + public Class<?> getObjectType() { + return String.class; + } + + @Override + public boolean isSingleton() { + return true; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java new file mode 100644 index 00000000..019b8efe --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java @@ -0,0 +1,327 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.online.webapp; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.Arrays; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Locale; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.slf4j.MDC; + +import at.gv.egiz.bku.binding.HTTPBindingProcessor; +import at.gv.egiz.bku.binding.HttpUtil; +import at.gv.egiz.bku.binding.Id; +import at.gv.egiz.bku.binding.IdFactory; +import at.gv.egiz.bku.binding.InputDecoderFactory; +import at.gv.egiz.bku.utils.StreamUtil; +import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage; + +public abstract class AbstractWebRequestHandler extends SpringBKUServlet { + + private static final long serialVersionUID = 1L; + + public static final String APPLET_PAGE_P = "appletPage"; + public static final String APPLET_PAGE_DEFAULT = "applet.jsp"; + + public static final String PARAM_APPLET_WIDTH = "appletWidth"; + public static final String ATTR_APPLET_WIDTH = "appletWidth"; + + public static final String PARAM_APPLET_HEIGHT = "appletHeight"; + public static final String ATTR_APPLET_HEIGHT = "appletHeight"; + + public static final String PARAM_APPLET_BACKGROUND = "appletBackground"; + public static final String ATTR_APPLET_BACKGROUND = "appletBackground"; + + public static final String PARAM_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; + public static final String ATTR_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; + + public static final Pattern PATTERM_APPLET_BACKGROUND_COLOR = Pattern.compile("\\#[0-9a-fA-F]{6}"); + public static final String PARAM_APPLET_GUI_STYLE = "appletGuiStyle"; + public static final String ATTR_APPLET_GUI_STYLE = "appletGuiStyle"; + + public static final String[] VALUES_APPLET_GUI_STYLE = new String[] {"tiny", "simple", "advanced"}; + public static final String PARAM_APPLET_EXTENSION = "appletExtension"; + public static final String ATTR_APPLET_EXTENSION = "appletExtension"; + + public static final String[] VALUES_APPLET_EXTENSION = new String[] {"pin", "activation"}; + public static final String PARAM_LOCALE = "locale"; + public static final String ATTR_LOCALE = "locale"; + + public static final Pattern PATTERN_LOCALE = Pattern.compile("[a-zA-Z][a-zA-Z](_[a-zA-Z][a-zA-Z]){0,2}"); + public static final String REDIRECT_URL_SESSION_ATTRIBUTE = "redirectUrl"; + + private final Logger log = LoggerFactory.getLogger(BKURequestHandler.class); + + protected static String getStringFromStream(InputStream is, String encoding) + throws IOException { + if (is == null) { + return null; + } + if (encoding == null) { + encoding = HttpUtil.DEFAULT_CHARSET; + } + ByteArrayOutputStream os = new ByteArrayOutputStream(); + StreamUtil.copyStream(is, os); + return new String(os.toByteArray(), encoding); + } + + protected abstract String getRequestProtocol(HttpServletRequest req); + + protected HTTPBindingProcessor getBindingProcessor(Id id, HttpServletRequest req, Locale locale) { + + // remove existing binding processor if present + getBindingProcessorManager().removeBindingProcessor(id); + + // create new binding processor + return (HTTPBindingProcessor) getBindingProcessorManager().createBindingProcessor(getRequestProtocol(req), locale); + + } + + @Override + protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, + java.io.IOException { + + String msg = (req.getSession(false) == null) ? "New session created." + : "Session already established."; + + Id id = IdFactory.getInstance().createId(req.getSession().getId()); + MDC.put("id", id.toString()); + + String acceptLanguage = req.getHeader("Accept-Language"); + Locale locale = AcceptLanguage.getLocale(acceptLanguage); + + if (log.isInfoEnabled()) { + log.info("Recieved request (Accept-Language locale: {}). {}", locale, msg); + } + + try { + + HTTPBindingProcessor bindingProcessor = getBindingProcessor(id, req, locale); + + Map<String, String> headerMap = new HashMap<String, String>(); + for (Enumeration<?> headerName = req.getHeaderNames(); headerName + .hasMoreElements();) { + String header = (String) headerName.nextElement(); + if (header != null) { + headerMap.put(header, req.getHeader(header)); + } + } + + InputStream inputStream; + String charset; + if (req.getMethod().equals("POST")) { + charset = req.getCharacterEncoding(); + String contentType = req.getContentType(); + if (charset != null) { + contentType += ";" + charset; + } + headerMap.put(HttpUtil.HTTP_HEADER_CONTENT_TYPE, contentType); + inputStream = req.getInputStream(); + } else { + charset = "UTF-8"; + headerMap.put(HttpUtil.HTTP_HEADER_CONTENT_TYPE, + InputDecoderFactory.URL_ENCODED); + String queryString = req.getQueryString(); + if (queryString != null) { + inputStream = new ByteArrayInputStream(queryString.getBytes(charset)); + } else { + inputStream = new ByteArrayInputStream(new byte[] {}); + } + } + bindingProcessor.setHTTPHeaders(headerMap); + bindingProcessor.consumeRequestStream(req.getRequestURL().toString(), + inputStream); + + req.getInputStream().close(); + getBindingProcessorManager().process(id, bindingProcessor); + + HttpSession session = req.getSession(); + + log.trace("Looking for applet parameters in request."); + + // appletWidth + String width = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_WIDTH), charset); + if (width != null && !width.isEmpty()) { + try { + // must be a valid integer + session.setAttribute(ATTR_APPLET_WIDTH, Integer.parseInt(width)); + log.debug("Found parameter " + PARAM_APPLET_WIDTH + "='{}'.", width); + } catch (NumberFormatException nfe) { + log.warn("Parameter " + PARAM_APPLET_WIDTH + + " does not contain a valid value.", nfe); + } + } + + // appletHeight + String height = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_HEIGHT), charset); + if (height != null && !height.isEmpty()) { + try { + // must be a valid integer + session.setAttribute(ATTR_APPLET_HEIGHT, Integer.parseInt(height)); + log.debug("Found parameter " + PARAM_APPLET_HEIGHT + "='{}'.", height); + } catch (NumberFormatException nfe) { + log.warn("Parameter " + PARAM_APPLET_HEIGHT + + " does not contain a valid value.", nfe); + } + } + + // appletBackground + String background = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_BACKGROUND), charset); + if (background != null && !background.isEmpty()) { + session.setAttribute(ATTR_APPLET_BACKGROUND, background); + try { + // must be a valid http or https URL + URI backgroundURL = new URI(background); + if ("http".equals(backgroundURL.getScheme()) + || "https".equals(backgroundURL.getScheme())) { + session.setAttribute(ATTR_APPLET_BACKGROUND, backgroundURL + .toASCIIString()); + log.debug("Found parameter " + PARAM_APPLET_BACKGROUND + "='{}'.", + backgroundURL.toASCIIString()); + } else { + log.warn("Parameter " + PARAM_APPLET_BACKGROUND + + "='{}' is not a valid http/https URL.", background); + } + } catch (URISyntaxException e) { + log.warn("Parameter " + PARAM_APPLET_BACKGROUND + + "='{}' is not a valid http/https URL.", background, e); + } + } + + // appletBackgroundColor + String backgroundColor = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_BACKGROUND_COLOR), charset); + if (backgroundColor != null && !backgroundColor.isEmpty()) { + // must be a valid color definition + if (PATTERM_APPLET_BACKGROUND_COLOR.matcher(backgroundColor).matches()) { + session.setAttribute(ATTR_APPLET_BACKGROUND_COLOR, backgroundColor); + log.debug("Faund parameter " + PARAM_APPLET_BACKGROUND_COLOR + + "='{}'.", backgroundColor); + } else { + log.warn("Parameter " + PARAM_APPLET_BACKGROUND_COLOR + + "='{}' is not a valid color definition " + + "(must be of form '#hhhhhh').", backgroundColor); + } + } + + // appletGuiStyle + String guiStyle = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_GUI_STYLE), charset); + if (guiStyle != null && !guiStyle.isEmpty()) { + // must be one of VALUES_APPLET_GUI_STYLE + String style = guiStyle.toLowerCase(); + if (Arrays.asList(VALUES_APPLET_GUI_STYLE).contains(style)) { + session.setAttribute(ATTR_APPLET_GUI_STYLE, style); + log.debug("Found parameter " + PARAM_APPLET_GUI_STYLE + "='{}'.", style); + } else { + StringBuilder sb = new StringBuilder(); + sb.append("Parameter ").append(PARAM_APPLET_GUI_STYLE).append( + "='").append(guiStyle).append("' is not valid (must be one of ") + .append(Arrays.toString(VALUES_APPLET_GUI_STYLE)).append(")."); + log.warn(sb.toString()); + } + } + + // appletExtension + String extension = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_EXTENSION), charset); + if (extension != null && !extension.isEmpty()) { + // must be one of VALUES_APPLET_EXTENSION + String ext = extension.toLowerCase(); + if (Arrays.asList(VALUES_APPLET_EXTENSION).contains(ext)) { + session.setAttribute(ATTR_APPLET_EXTENSION, ext); + log.debug("Found parameter " + PARAM_APPLET_EXTENSION + "='{}'.", ext); + } else { + StringBuilder sb = new StringBuilder(); + sb.append("Parameter ").append(PARAM_APPLET_EXTENSION).append( + "='").append(extension).append("' is not valid (must be one of ") + .append(Arrays.toString(VALUES_APPLET_EXTENSION)).append(")."); + log.warn(sb.toString()); + } + } + + // locale + String localeFormParam = getStringFromStream(bindingProcessor + .getFormData(PARAM_LOCALE), charset); + if (localeFormParam != null && !localeFormParam.isEmpty()) { + // must be a valid locale + if (PATTERN_LOCALE.matcher(localeFormParam).matches()) { + locale = new Locale(localeFormParam); + log.debug("Override accept-language header locale {} " + + "with form param {}.", locale, localeFormParam); + } else { + log.warn("Parameter " + PARAM_LOCALE + + "='{}' is not a valid locale definition.", localeFormParam); + } + } + if (locale != null) { + log.debug("Using locale {}.", locale); + session.setAttribute(ATTR_LOCALE, locale.toString()); + } + + beforeAppletPage(req, bindingProcessor); + + String appletPage = getStringFromStream(bindingProcessor + .getFormData(APPLET_PAGE_P), charset); + if (appletPage == null || appletPage.isEmpty()) { + appletPage = APPLET_PAGE_DEFAULT; + } + log.debug("Sending redirect to UI page '{}'.", appletPage); + resp.sendRedirect(appletPage); + + } finally { + MDC.remove("id"); + } + } + + @Override + protected void doGet(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, java.io.IOException { + doPost(req, resp); + } + + /** + * Called before the request is forwarded or redirected to the Applet page. + * + * @param req + * @param bindingProcessor + */ + protected void beforeAppletPage(HttpServletRequest req, + HTTPBindingProcessor bindingProcessor) { + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java index 24938cd5..9e455621 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java @@ -24,8 +24,8 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * prevent applet caching, @@ -35,7 +35,9 @@ import org.apache.commons.logging.LogFactory; */ public class AppletDispatcher extends HttpServlet { - protected final static Log log = LogFactory.getLog(AppletDispatcher.class); + private static final long serialVersionUID = 1L; + + private final Logger log = LoggerFactory.getLogger(AppletDispatcher.class); public static final String DISPATCH_CTX = "dispatch/"; public static final String RAND_PREFIX = "__"; @@ -65,10 +67,7 @@ public class AppletDispatcher extends HttpServlet { uri = archivePattern.matcher(uri).replaceAll(".jar"); // log.trace("removing random suffix " + uri); - if (log.isTraceEnabled()) { - log.trace("dispatching request URI " + request.getRequestURI() + - " to " + uri); - } + log.trace("Dispatching request URI {} to {}.", request.getRequestURI(), uri); RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(uri); dispatcher.forward(request, response); diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java index 7dfec211..d42f911c 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java @@ -16,302 +16,37 @@ */ package at.gv.egiz.bku.online.webapp; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.net.MalformedURLException; -import java.net.URI; -import java.net.URISyntaxException; -import java.net.URL; -import java.net.URLEncoder; -import java.util.Arrays; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.Locale; -import java.util.Map; -import java.util.regex.Pattern; - -import javax.servlet.RequestDispatcher; -import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; -import at.gv.egiz.bku.binding.BindingProcessor; import at.gv.egiz.bku.binding.HTTPBindingProcessor; -import at.gv.egiz.bku.binding.HttpUtil; -import at.gv.egiz.bku.binding.IdFactory; -import at.gv.egiz.bku.utils.StreamUtil; -import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage; +import at.gv.egiz.bku.binding.HTTPBindingProcessorImpl; /** * Handles SL requests and instantiates BindingProcessors * */ -public class BKURequestHandler extends SpringBKUServlet { - - private static final long serialVersionUID = 1L; - - public static final String APPLET_PAGE_P = "appletPage"; - public static final String APPLET_PAGE_DEFAULT = "BKUApplet"; - - public static final String PARAM_APPLET_WIDTH = "appletWidth"; - public static final String ATTR_APPLET_WIDTH = "appletWidth"; - - public static final String PARAM_APPLET_HEIGHT = "appletHeight"; - public static final String ATTR_APPLET_HEIGHT = "appletHeight"; +public class BKURequestHandler extends AbstractWebRequestHandler { - public static final String PARAM_APPLET_BACKGROUND = "appletBackground"; - public static final String ATTR_APPLET_BACKGROUND = "appletBackground"; - - public static final String PARAM_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; - public static final String ATTR_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; - public static final Pattern PATTERM_APPLET_BACKGROUND_COLOR = Pattern.compile("\\#[0-9a-fA-F]{6}"); - - public static final String PARAM_APPLET_GUI_STYLE = "appletGuiStyle"; - public static final String ATTR_APPLET_GUI_STYLE = "appletGuiStyle"; - public static final String[] VALUES_APPLET_GUI_STYLE = new String[] {"tiny", "simple", "advanced"}; + private static final long serialVersionUID = 1L; - public static final String PARAM_APPLET_EXTENSION = "appletExtension"; - public static final String ATTR_APPLET_EXTENSION = "appletExtension"; - public static final String[] VALUES_APPLET_EXTENSION = new String[] {"pin", "activation"}; + private final Logger log = LoggerFactory.getLogger(BKURequestHandler.class); - public static final String PARAM_LOCALE = "locale"; - public static final String ATTR_LOCALE = "locale"; - public static final Pattern PATTERN_LOCALE = Pattern.compile("[a-zA-Z][a-zA-Z](_[a-zA-Z][a-zA-Z]){0,2}"); - - public final static String REDIRECT_URL_SESSION_ATTRIBUTE = "redirectUrl"; - - protected Log log = LogFactory.getLog(BKURequestHandler.class); - - private static String getStringFromStream(InputStream is, String encoding) - throws IOException { - if (is == null) { - return null; - } - if (encoding == null) { - encoding = HttpUtil.DEFAULT_CHARSET; - } - ByteArrayOutputStream os = new ByteArrayOutputStream(); - StreamUtil.copyStream(is, os); - return new String(os.toByteArray(), encoding); - } - @Override - protected void doPost(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, java.io.IOException { - log.debug("Received SecurityLayer request"); - - HttpSession session = req.getSession(false); - if (session != null) { - log.warn("Already a session with id: " + session.getId() - + " active, trying to get Bindingprocessor"); - BindingProcessor bp = getBindingProcessorManager().getBindingProcessor( - IdFactory.getInstance().createId(session.getId())); - if (bp != null) { - log.debug("Found binding processor, using this one"); - String appletPage = getStringFromStream( - ((HTTPBindingProcessor) bp).getFormData(APPLET_PAGE_P), - req.getCharacterEncoding()); - getDispatcher(appletPage).forward(req, resp); - return; - } - log.debug("Did not find a binding processor, creating new ..."); - } - session = req.getSession(true); - if (log.isDebugEnabled()) { - log.debug("Using session id: " + session.getId()); - } - - String acceptLanguage = req.getHeader("Accept-Language"); - Locale locale = AcceptLanguage.getLocale(acceptLanguage); - log.debug("Accept-Language locale: " + locale); - - HTTPBindingProcessor bindingProcessor; - bindingProcessor = (HTTPBindingProcessor) getBindingProcessorManager() - .createBindingProcessor(req.getRequestURL().toString(), - session.getId(), locale); - - Map<String, String> headerMap = new HashMap<String, String>(); - for (Enumeration<String> headerName = req.getHeaderNames(); headerName - .hasMoreElements();) { - String header = headerName.nextElement(); - if (header != null) { - headerMap.put(header, req.getHeader(header)); - } - } - String charset = req.getCharacterEncoding(); - String contentType = req.getContentType(); - if (charset != null) { - contentType += ";" + charset; - } - headerMap.put(HttpUtil.HTTP_HEADER_CONTENT_TYPE, contentType); - bindingProcessor.setHTTPHeaders(headerMap); - bindingProcessor.consumeRequestStream(req.getInputStream()); - req.getInputStream().close(); - getBindingProcessorManager().process(bindingProcessor); - - log.trace("Trying to find applet parameters in request"); - - // appletWidth - String width = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_WIDTH), charset); - if (width != null) { - try { - // must be a valid integer - session.setAttribute(ATTR_APPLET_WIDTH, Integer.parseInt(width)); - log.trace("Found parameter " + PARAM_APPLET_WIDTH + "='" + width +"'."); - } catch (NumberFormatException nfe) { - log.warn("Applet parameter " + PARAM_APPLET_WIDTH + - " does not contain a valid value.", nfe); - } - } - - // appletHeight - String height = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_HEIGHT), charset); - if (height != null) { - try { - // must be a valid integer - session.setAttribute(ATTR_APPLET_HEIGHT, Integer.parseInt(height)); - log.trace("Found parameter " + PARAM_APPLET_HEIGHT + "='" + height + "'."); - } catch (NumberFormatException nfe) { - log.warn("Applet parameter " + PARAM_APPLET_HEIGHT + - " does not contain a valid value.", nfe); - } - } - - // appletBackground - String background = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_BACKGROUND), charset); - if (background != null) { - session.setAttribute(ATTR_APPLET_BACKGROUND, background); - try { - // must be a valid http or https URL - URI backgroundURL = new URI(background); - if ("http".equals(backgroundURL.getScheme()) - || "https".equals(backgroundURL.getScheme())) { - session.setAttribute(ATTR_APPLET_BACKGROUND, backgroundURL.toASCIIString()); - log.trace("Found parameter " + PARAM_APPLET_BACKGROUND + "='" - + backgroundURL.toASCIIString() + "'."); - } else { - log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='" - + background + "' is not a valid http/https URL."); - } - } catch (URISyntaxException e) { - log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='" - + background + "' is not a valid http/https URL.", e); - } - } - - // appletBackgroundColor - String backgroundColor = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_BACKGROUND_COLOR), charset); - if (backgroundColor != null) { - // must be a valid color definition - if (PATTERM_APPLET_BACKGROUND_COLOR.matcher(backgroundColor).matches()) { - session.setAttribute(ATTR_APPLET_BACKGROUND_COLOR, backgroundColor); - log.trace("Faund parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='" - + backgroundColor + "'."); - } else { - log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='" - + backgroundColor + "' is not a valid color definition (must be of form '#hhhhhh')."); - } - } - - // appletGuiStyle - String guiStyle = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_GUI_STYLE), charset); - if (guiStyle != null) { - // must be one of VALUES_APPLET_GUI_STYLE - String style = guiStyle.toLowerCase(); - if (Arrays.asList(VALUES_APPLET_GUI_STYLE).contains(style)) { - session.setAttribute(ATTR_APPLET_GUI_STYLE, style); - log.trace("Found parameter " + PARAM_APPLET_GUI_STYLE + "='" - + style + "'."); - } else { - StringBuilder sb = new StringBuilder(); - sb.append("Applet parameter ").append(PARAM_APPLET_GUI_STYLE).append( - "='").append(guiStyle).append("' is not valid (must be one of ") - .append(Arrays.toString(VALUES_APPLET_GUI_STYLE)).append(")."); - log.warn(sb); - } - } - - // appletExtension - String extension = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_EXTENSION), charset); - if (extension != null) { - // must be one of VALUES_APPLET_EXTENSION - String ext = extension.toLowerCase(); - if (Arrays.asList(VALUES_APPLET_EXTENSION).contains(ext)) { - session.setAttribute(ATTR_APPLET_EXTENSION, ext); - log.trace("Found parameter " + PARAM_APPLET_EXTENSION + "='" - + ext + "'."); - } else { - StringBuilder sb = new StringBuilder(); - sb.append("Applet parameter ").append(PARAM_APPLET_EXTENSION).append( - "='").append(extension).append("' is not valid (must be one of ") - .append(Arrays.toString(VALUES_APPLET_EXTENSION)).append(")."); - log.warn(sb); - } - } - - // locale - String localeFormParam = getStringFromStream(bindingProcessor - .getFormData(PARAM_LOCALE), charset); - if (localeFormParam != null) { - // must be a valid locale - if (PATTERN_LOCALE.matcher(localeFormParam).matches()) { - locale = new Locale(localeFormParam); - log.debug("Overrule accept-language header locale " + locale - + " with form param " + localeFormParam + "."); - } else { - log.warn("Parameter " + PARAM_LOCALE + "='" + localeFormParam - + "' is not a valid locale definition."); - } - } - if (locale != null) { - log.debug("Using locale " + locale); - session.setAttribute(ATTR_LOCALE, locale.toString()); - } - + protected void beforeAppletPage(HttpServletRequest req, HTTPBindingProcessor bindingProcessor) { // handle server side redirect url after processing - String redirectUrl = bindingProcessor.getRedirectURL(); + String redirectUrl = ((HTTPBindingProcessorImpl) bindingProcessor).getRedirectURL(); if ( redirectUrl != null) { - log.info("Got redirect URL "+redirectUrl+". Deferring browser redirect."); - session.setAttribute(REDIRECT_URL_SESSION_ATTRIBUTE, redirectUrl); + log.info("Got redirect URL '{}'. Deferring browser redirect.", redirectUrl); + req.getSession().setAttribute(REDIRECT_URL_SESSION_ATTRIBUTE, redirectUrl); } - - String appletPage = getStringFromStream(bindingProcessor - .getFormData(APPLET_PAGE_P), charset); - getDispatcher(appletPage).forward(req, resp); } @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, java.io.IOException { - doPost(req, resp); - } - - private RequestDispatcher getDispatcher(String appletPage) { - RequestDispatcher dispatcher = null; - if (appletPage != null) { - log.trace("requested appletPage " + appletPage); - dispatcher = getServletContext().getNamedDispatcher(appletPage); - } - if (dispatcher == null) { - log.debug("no appletPage requested or appletPage not configured, using default"); - appletPage = APPLET_PAGE_DEFAULT; - dispatcher = getServletContext().getNamedDispatcher(appletPage); - } -// session.setAttribute(APPLET_PAGE_P, appletPage); - log.debug("forward to applet " + appletPage); - - return dispatcher; + protected String getRequestProtocol(HttpServletRequest req) { + return "HTTP"; } } diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java new file mode 100644 index 00000000..8d65c92e --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java @@ -0,0 +1,128 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.online.webapp; + +import iaik.security.ecc.provider.ECCProvider; +import iaik.security.provider.IAIK; +import iaik.xml.crypto.XSecProvider; + +import java.security.Provider; +import java.security.Security; +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.ServletContext; +import javax.servlet.ServletContextEvent; +import javax.servlet.ServletContextListener; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class MoccaContextListener implements ServletContextListener { + + public static final String DISABLE_SECURITY_PROVIDER_REGISTRATION = "disableSecurityProviderRegistration"; + + private Logger log = LoggerFactory.getLogger(MoccaContextListener.class); + + private final List<Provider> selfRegisteredProviders = new ArrayList<Provider>(); + + @Override + public void contextDestroyed(ServletContextEvent sce) { + log.info("Deregistering self registered security providers."); + + for (Provider provider : selfRegisteredProviders) { + Security.removeProvider(provider.getName()); + } + selfRegisteredProviders.clear(); + + } + + @Override + public void contextInitialized(ServletContextEvent sce) { + + ServletContext servletContext = sce.getServletContext(); + if (!Boolean.parseBoolean(servletContext.getInitParameter(DISABLE_SECURITY_PROVIDER_REGISTRATION))) { + log.info("Looking for required and registered security providers ..."); + + registerProviders(); + + if (!selfRegisteredProviders.isEmpty()) { + log.warn("Security providers have been registered. " + + "This may affect other contexts in the same container!"); + } + + if (log.isDebugEnabled()) { + StringBuilder sb = new StringBuilder(); + sb.append("Registered providers: "); + int i = 1; + for (Provider prov : Security.getProviders()) { + sb.append("\n" + (i++) + ". : " + prov); + } + log.debug(sb.toString()); + } + } + + + } + + + protected void registerProvider(Provider provider, int position) { + String name = provider.getName(); + if (Security.getProvider(name) == null) { + // register IAIK provider at first position + try { + if (position > 0) { + position = Security.insertProviderAt(provider, position); + } else { + position = Security.addProvider(provider); + } + log.info("Required security Provider {} was not yet registered. " + + "Now registered at position {}.", name, position); + selfRegisteredProviders.add(provider); + } catch (SecurityException e) { + log.info("Failed to register required security Provider.", e); + } + } else { + log.info("Required security Provider {} already registered.", name); + } + + } + + protected void registerProviders() { + + registerProvider(new IAIK(), 1); + registerProvider(new ECCProvider(false), 2); + + final String name = XSecProvider.NAME; + if (Security.getProvider(XSecProvider.NAME) == null) { + // register XML Security provider + try { + XSecProvider.addAsProvider(false); + log.info("Required security Provider {} was not yet registered. " + + "Now registered.", name); + selfRegisteredProviders.add(Security.getProvider(name)); + } catch (SecurityException e) { + log.info("Failed to register required security Provider.", e); + } + } else { + log.info("Required security Provider {} already registered.", name); + } + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java index 5ffe2399..5fd01775 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java @@ -25,13 +25,14 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.slf4j.MDC; +import at.gv.egiz.bku.binding.BindingProcessor; import at.gv.egiz.bku.binding.HTTPBindingProcessor; -import at.gv.egiz.bku.binding.HttpUtil; +import at.gv.egiz.bku.binding.Id; import at.gv.egiz.bku.binding.IdFactory; -import at.gv.egiz.bku.conf.Configurator; import at.gv.egiz.bku.utils.NullOutputStream; /** @@ -40,7 +41,9 @@ import at.gv.egiz.bku.utils.NullOutputStream; */ public class ResultServlet extends SpringBKUServlet { - private final static Log log = LogFactory.getLog(ResultServlet.class); + private static final long serialVersionUID = 1L; + + private final Logger log = LoggerFactory.getLogger(ResultServlet.class); private String encoding = "UTF-8"; private String expiredPage = "./expiredError.jsp"; @@ -51,12 +54,12 @@ public class ResultServlet extends SpringBKUServlet { private void myInit() { String enc = getServletContext().getInitParameter("responseEncoding"); if (enc != null) { - log.debug("Init default encoding to: " + enc); + log.trace("Init default encoding to: {}.", enc); encoding = enc; } String expP = getServletConfig().getInitParameter("expiredPage"); if (expP != null) { - log.debug("Init expired page to: " + expP); + log.trace("Init expired page to: {}.", expP); expiredPage = expP; } } @@ -80,75 +83,65 @@ public class ResultServlet extends SpringBKUServlet { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, java.io.IOException { - String version = configurator.getProperty(Configurator.SIGNATURE_LAYOUT); - if ((version != null) && (!"".equals(version.trim()))) { - log.debug("setting SignatureLayout header to " + version); - resp.setHeader(Configurator.SIGNATURE_LAYOUT, version); - } else { - log.debug("do not set SignatureLayout header"); - } - - if (configurator.getProperty(Configurator.USERAGENT_CONFIG_P) != null) { - resp.setHeader(HttpUtil.HTTP_HEADER_SERVER, configurator - .getProperty(Configurator.USERAGENT_CONFIG_P)); - } else { - resp.setHeader(HttpUtil.HTTP_HEADER_SERVER, - Configurator.USERAGENT_DEFAULT); - } HttpSession session = req.getSession(false); if (session == null) { resp.sendRedirect(expiredPage); return; } - String sessionId = session.getId(); - if (sessionId == null) { - resp.sendRedirect(expiredPage); - return; - } - log.debug("Got a result request for session: " + sessionId); - HTTPBindingProcessor bp = (HTTPBindingProcessor) getBindingProcessorManager() - .getBindingProcessor(IdFactory.getInstance().createId(sessionId)); - if (bp == null) { + + Id id = IdFactory.getInstance().createId(session.getId()); + + HTTPBindingProcessor bp; + BindingProcessor bindingProcessor = getBindingProcessorManager().getBindingProcessor(id); + if (bindingProcessor instanceof HTTPBindingProcessor) { + bp = (HTTPBindingProcessor) bindingProcessor; + } else { session.invalidate(); resp.sendRedirect(expiredPage); return; } - String redirectUrl = (String) session - .getAttribute(BKURequestHandler.REDIRECT_URL_SESSION_ATTRIBUTE); - if (redirectUrl == null) { - redirectUrl = bp.getRedirectURL(); - } - if (redirectUrl != null) { - try { - bp.writeResultTo(new NullOutputStream(), encoding); - getBindingProcessorManager().removeBindingProcessor(bp.getId()); - } finally { - log.info("Executing deferred browser redirect to: " + redirectUrl); - resp.sendRedirect(redirectUrl); - session.invalidate(); + MDC.put("id", id.toString()); + + try { + String redirectUrl = (String) session + .getAttribute(AbstractWebRequestHandler.REDIRECT_URL_SESSION_ATTRIBUTE); + if (redirectUrl == null) { + redirectUrl = bp.getRedirectURL(); } - return; - } - - log.trace("setting response code: " + bp.getResponseCode()); - resp.setStatus(bp.getResponseCode()); - resp.setHeader("Cache-Control", "no-store"); // HTTP 1.1 - resp.setHeader("Pragma", "no-cache"); // HTTP 1.0 - resp.setDateHeader("Expires", 0); - for (Iterator<String> it = bp.getResponseHeaders().keySet().iterator(); it - .hasNext();) { - String header = it.next(); - if (log.isTraceEnabled()) { - log.trace("setting response header " + header + ": " + bp.getResponseHeaders().get(header)); + if (redirectUrl != null) { + try { + bp.writeResultTo(new NullOutputStream(), encoding); + getBindingProcessorManager().removeBindingProcessor(bp.getId()); + } finally { + log.info("Sending deferred redirect, RedirectURL={}.", redirectUrl); + resp.sendRedirect(redirectUrl); + session.invalidate(); + } + return; + } + + log.trace("Setting response code: {}.", bp.getResponseCode()); + resp.setStatus(bp.getResponseCode()); + resp.setHeader("Cache-Control", "no-store"); // HTTP 1.1 + resp.setHeader("Pragma", "no-cache"); // HTTP 1.0 + resp.setDateHeader("Expires", 0); + for (Iterator<String> it = bp.getResponseHeaders().keySet().iterator(); it + .hasNext();) { + String header = it.next(); + log.trace("Setting response header {}: {}.", header, bp.getResponseHeaders().get(header)); + resp.setHeader(header, bp.getResponseHeaders().get(header)); } - resp.setHeader(header, bp.getResponseHeaders().get(header)); + resp.setContentType(bp.getResultContentType()); + resp.setCharacterEncoding(encoding); + log.info("Sending result."); + bp.writeResultTo(resp.getOutputStream(), encoding); + resp.getOutputStream().flush(); + session.invalidate(); + getBindingProcessorManager().removeBindingProcessor(bp.getId()); + + } finally { + MDC.remove("id"); } - resp.setContentType(bp.getResultContentType()); - resp.setCharacterEncoding(encoding); - bp.writeResultTo(resp.getOutputStream(), encoding); - resp.getOutputStream().flush(); - session.invalidate(); - getBindingProcessorManager().removeBindingProcessor(bp.getId()); } } diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionTimeout.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionListener.java index 2b56166c..1bec31b6 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionTimeout.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionListener.java @@ -14,36 +14,34 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package at.gv.egiz.bku.online.webapp;
-
-import javax.servlet.http.HttpSessionEvent;
-import javax.servlet.http.HttpSessionListener;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import at.gv.egiz.bku.binding.BindingProcessorManager;
-import at.gv.egiz.bku.binding.IdFactory;
-
-/**
- * Session listener to trigger the removal of the BindingProcessor
- *
- */
-public class SessionTimeout implements HttpSessionListener {
-
- private static Log log = LogFactory.getLog(SessionTimeout.class);
-
- @Override
- public void sessionCreated(HttpSessionEvent arg0) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void sessionDestroyed(HttpSessionEvent event) {
- BindingProcessorManager manager = (BindingProcessorManager) event.getSession().getServletContext().getAttribute(SpringBKUServlet.BEAN_NAME);
- log.info("Removing session: "+event.getSession().getId());
- manager.removeBindingProcessor(IdFactory.getInstance().createId(event.getSession().getId()));
- }
-
-}
+package at.gv.egiz.bku.online.webapp; + +import javax.servlet.http.HttpSessionEvent; +import javax.servlet.http.HttpSessionListener; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.bku.binding.BindingProcessorManager; +import at.gv.egiz.bku.binding.IdFactory; + +/** + * Session listener to trigger the removal of the BindingProcessor + * + */ +public class SessionListener implements HttpSessionListener { + + private final Logger log = LoggerFactory.getLogger(SessionListener.class); + + @Override + public void sessionCreated(HttpSessionEvent event) { + } + + @Override + public void sessionDestroyed(HttpSessionEvent event) { + BindingProcessorManager manager = (BindingProcessorManager) event.getSession().getServletContext().getAttribute(SpringBKUServlet.BEAN_NAME); + manager.removeBindingProcessor(IdFactory.getInstance().createId(event.getSession().getId())); + log.info("Session {} destroyed.", event.getSession().getId()); + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java index 741b5e32..39d7368d 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java @@ -1,48 +1,48 @@ -/*
- * Copyright 2008 Federal Chancellery Austria and
- * Graz University of Technology
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package at.gv.egiz.bku.online.webapp;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.context.ApplicationEvent;
-import org.springframework.context.ApplicationListener;
-import org.springframework.context.event.ContextClosedEvent;
-
-import at.gv.egiz.bku.binding.BindingProcessorManager;
-
-public class ShutdownHandler implements ApplicationListener {
-
- private static Log log = LogFactory.getLog(ShutdownHandler.class);
-
- private BindingProcessorManager bindingProcessorManager;
-
- public void setBindingProcessorManager(
- BindingProcessorManager bindingProcessorManager) {
- this.bindingProcessorManager = bindingProcessorManager;
- }
-
- @Override
- public void onApplicationEvent(ApplicationEvent event) {
- if (event instanceof ContextClosedEvent) {
- log.info("Shutting down BKU");
- bindingProcessorManager.shutdownNow();
- }
-
- }
-
-}
+/* + * Copyright 2008 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package at.gv.egiz.bku.online.webapp; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.context.ApplicationEvent; +import org.springframework.context.ApplicationListener; +import org.springframework.context.event.ContextClosedEvent; + +import at.gv.egiz.bku.binding.BindingProcessorManager; + +public class ShutdownHandler implements ApplicationListener { + + private final Logger log = LoggerFactory.getLogger(ShutdownHandler.class); + + private BindingProcessorManager bindingProcessorManager; + + public void setBindingProcessorManager( + BindingProcessorManager bindingProcessorManager) { + this.bindingProcessorManager = bindingProcessorManager; + } + + @Override + public void onApplicationEvent(ApplicationEvent event) { + if (event instanceof ContextClosedEvent) { + log.info("Shutting down MOCCA."); + bindingProcessorManager.shutdownNow(); + } + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java index 2c6f522e..6a6f11e8 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java @@ -19,19 +19,15 @@ package at.gv.egiz.bku.online.webapp; import javax.servlet.http.HttpServlet; import at.gv.egiz.bku.binding.BindingProcessorManager; -import at.gv.egiz.bku.conf.Configurator; public abstract class SpringBKUServlet extends HttpServlet {
+ private static final long serialVersionUID = 1L; + public final static String BEAN_NAME="bindingProcessorManager"; - protected static Configurator configurator; - protected BindingProcessorManager getBindingProcessorManager() {
return (BindingProcessorManager) getServletContext().getAttribute(BEAN_NAME);
} - public static void setConfigurator(Configurator conf) { - configurator = conf; - }
}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java new file mode 100644 index 00000000..897ec227 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java @@ -0,0 +1,123 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.util.Collections; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.bku.binding.AbstractBindingProcessor; +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slcommands.SLCommandContext; +import at.gv.egiz.bku.slcommands.SLResult; +import at.gv.egiz.bku.slexceptions.SLCommandException; +import at.gv.egiz.bku.slexceptions.SLException; +import at.gv.egiz.stal.QuitRequest; + +public abstract class AbstractCommandSequenceBindingProcessor extends AbstractBindingProcessor { + + protected static Logger log = LoggerFactory.getLogger(AbstractCommandSequenceBindingProcessor.class); + + /** + * @return the error + */ + protected Exception getError() { + return error; + } + + /** + * @param error the error to set + */ + protected void setError(Exception error) { + this.error = error; + } + + private Exception error; + + private SLCommandBrocker commandBrocker = new SLCommandBrocker(); + + /** + * External processing? + */ + private boolean external; + + /** + * Constructs a new instance of this IdBindingProcessorImpl with + * the given ID. + */ + public AbstractCommandSequenceBindingProcessor() { + super(); + } + + /** + * @return the external + */ + public boolean isExternal() { + return external; + } + + /** + * @param external the external to set + */ + public void setExternal(boolean external) { + this.external = external; + } + + protected abstract SLCommand getNextCommand(); + + protected abstract void processResult(SLResult result); + + @Override + public synchronized void process() { + + try { + + SLCommand command; + do { + command = getNextCommand(); + SLCommandContext context = new SLCommandContext(getSTAL(), getUrlDereferencer(), locale); + SLResult result = null; + if (external) { + result = commandBrocker.execute(command, context, 3 * 60 * 1000); + } else { + if (command != null) { + result = command.execute(context); + } else { + stal.handleRequest(Collections.singletonList(new QuitRequest())); + } + } + if (result != null) { + processResult(result); + } + } while (command != null); + + } catch (InterruptedException e) { + setError(new SLException(6000)); + } catch (Exception e) { + log.info("BindingProcessor error.", e); + setError(e); + } + + } + + public SLCommand setExternalResult(SLResult slResult) throws SLCommandException, InterruptedException { + return commandBrocker.nextCommand(slResult, 3 * 60 * 1000); + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java new file mode 100644 index 00000000..b40fd35f --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java @@ -0,0 +1,225 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Iterator; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.XMLConstants; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Marshaller; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egiz.bku.binding.BindingProcessor; +import at.gv.egiz.bku.binding.FormParameter; +import at.gv.egiz.bku.binding.IdFactory; +import at.gv.egiz.bku.binding.InputDecoder; +import at.gv.egiz.bku.binding.InputDecoderFactory; +import at.gv.egiz.bku.online.webapp.SpringBKUServlet; +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slcommands.SLMarshallerFactory; +import at.gv.egiz.bku.slcommands.SLResult; +import at.gv.egiz.bku.slcommands.impl.DomCreateXMLSignatureResultImpl; +import at.gv.egiz.bku.slcommands.impl.DomErrorResultImpl; +import at.gv.egiz.bku.slcommands.impl.DomInfoboxReadResultImpl; +import at.gv.egiz.bku.slcommands.impl.ErrorResultImpl; +import at.gv.egiz.bku.slcommands.impl.SLCommandImpl; +import at.gv.egiz.bku.slexceptions.SLCommandException; +import at.gv.egiz.bku.utils.DebugInputStream; +import at.gv.egiz.bku.utils.StreamUtil; +import at.gv.egiz.slbinding.SLUnmarshaller; + +public class DataURLServerServlet extends SpringBKUServlet { + + private static Logger log = LoggerFactory.getLogger(DataURLServerServlet.class); + + /** + * + */ + private static final long serialVersionUID = 1L; + + /* (non-Javadoc) + * @see javax.servlet.http.HttpServlet#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + protected void doPost(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + + String userAgent = req.getHeader("User-Agent"); + String contentType = req.getContentType(); + log.debug("Content-Type: " + contentType + " User-Agent: " + userAgent); + + InputDecoder dec = InputDecoderFactory.getDecoder(contentType, req.getInputStream()); + + String sessionId = null; + Element respElement = null; + + Iterator<FormParameter> formParams = dec.getFormParameterIterator(); + while(formParams.hasNext()) { + FormParameter parameter = formParams.next(); + String name = parameter.getFormParameterName(); + if ("SessionID_".equals(name)) { + sessionId = StreamUtil.asString(parameter.getFormParameterValue(), "UTF-8"); + log.debug("SessionID: {}", sessionId); + } else if ("ResponseType".equals(name)) { + String parameterContentType = parameter.getFormParameterContentType(); + if (log.isDebugEnabled()) { + log.debug("ResponseType: ({}) {}.", parameterContentType, StreamUtil.asString(parameter.getFormParameterValue(), "UTF-8")); + } + } else if ("XMLResponse".equals(name)) { + InputStream inputStream = parameter.getFormParameterValue(); + + DebugInputStream di = null; + if (log.isDebugEnabled()) { + di = new DebugInputStream(inputStream); + inputStream = di; + } + + SLUnmarshaller slUnmarshaller = new SLUnmarshaller(); + + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setNamespaceAware(true); + dbf.setSchema(slUnmarshaller.getSlSchema()); + try { + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + log.warn("Failed to enable secure processing.", e); + } + + // http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization + try { + dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE); + } catch (IllegalArgumentException e) { + log.warn("Failed to disable schema normalization " + + "(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e); + } + + DocumentBuilder documentBuilder; + try { + documentBuilder = dbf.newDocumentBuilder(); + } catch (ParserConfigurationException e) { + log.error("Failed to create parser for Security Layer response." , e); + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + return; + } + + try { + Document doc = documentBuilder.parse(inputStream); + respElement = doc.getDocumentElement(); + } catch (SAXException e) { + log.info("Failed to parse Security Layer response.", e); + // TODO set error and redirect + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + return; + } + + if (di != null) { + log.debug("XMLResponse:\n{}", new String(di.getBufferedBytes(), "UTF-8")); + } + + } + + } + + SAMLBindingProcessorImpl bindingProcessor = null; + if (sessionId != null) { + bindingProcessor = getBindingProcessor(sessionId); + } + + if (bindingProcessor != null && respElement != null) { + + SLResult slResult = null; + if ("http://www.buergerkarte.at/namespaces/securitylayer/1.2#".equals(respElement.getNamespaceURI())) { + if ("NullOperationResponse".equals(respElement.getLocalName())) { + slResult = null; + } else if ("InfoboxReadResponse".equals(respElement.getLocalName())) { + slResult = new DomInfoboxReadResultImpl(respElement); + } else if ("CreateXMLSignatureResponse".equals(respElement.getLocalName())) { + slResult = new DomCreateXMLSignatureResultImpl(respElement); + } else if ("ErrorResponse".equals(respElement.getLocalName())) { + slResult = new DomErrorResultImpl(respElement); + } else { + // TODO: report proper error + at.gv.egiz.bku.slexceptions.SLException slException = new at.gv.egiz.bku.slexceptions.SLException(0); + slResult = new ErrorResultImpl(slException, null); + } + + } + + SLCommand slCommand = null; + try { + slCommand = bindingProcessor.setExternalResult(slResult); + } catch (SLCommandException e) { + log.debug(e.getMessage()); + } catch (InterruptedException e) { + // interrupted + } + + if (slCommand instanceof SLCommandImpl<?>) { + JAXBElement<?> request = ((SLCommandImpl<?>) slCommand).getRequest(); + Marshaller marshaller = SLMarshallerFactory.getInstance().createMarshaller(false, false); + try { + + resp.setCharacterEncoding("UTF-8"); + resp.setContentType("text/xml"); + + marshaller.marshal(request, resp.getOutputStream()); + + return; + + } catch (JAXBException e) { + log.error("Failed to marshall Security Layer request.", e); + } + + } + + } + + resp.sendRedirect("bkuResult"); + + } + + protected SAMLBindingProcessorImpl getBindingProcessor(String sessionId) { + + BindingProcessor bp = getBindingProcessorManager().getBindingProcessor( + IdFactory.getInstance().createId(sessionId)); + + if (bp instanceof SAMLBindingProcessorImpl) { + log.debug("Found active BindingProcessor, using this one."); + return (SAMLBindingProcessorImpl) bp; + } + + return null; + + } + + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java new file mode 100644 index 00000000..fd4ef8e7 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java @@ -0,0 +1,346 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import iaik.xml.crypto.dom.DOMCryptoContext; +import iaik.xml.crypto.dsig.keyinfo.KeyValueType; + +import java.io.IOException; +import java.io.InputStream; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.text.ParseException; +import java.util.ArrayList; +import java.util.List; + +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.crypto.MarshalException; +import javax.xml.crypto.dom.DOMStructure; +import javax.xml.crypto.dsig.Manifest; +import javax.xml.crypto.dsig.Reference; +import javax.xml.crypto.dsig.XMLObject; +import javax.xml.crypto.dsig.XMLSignature; +import javax.xml.crypto.dsig.XMLSignatureException; +import javax.xml.crypto.dsig.XMLSignatureFactory; +import javax.xml.crypto.dsig.dom.DOMValidateContext; +import javax.xml.crypto.dsig.keyinfo.KeyInfo; +import javax.xml.crypto.dsig.keyinfo.X509Data; + +import oasis.names.tc.saml._1_0.assertion.AnyType; +import oasis.names.tc.saml._1_0.assertion.AssertionType; +import oasis.names.tc.saml._1_0.assertion.AttributeStatementType; +import oasis.names.tc.saml._1_0.assertion.AttributeType; +import oasis.names.tc.saml._1_0.assertion.StatementAbstractType; +import oasis.names.tc.saml._1_0.assertion.SubjectConfirmationType; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Element; +import org.w3c.dom.Node; + +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; +import at.gv.egiz.bku.utils.StreamUtil; + +public class IdLink { + + protected Logger log = LoggerFactory.getLogger(IdLink.class); + + /** + * The IdLink is backed by a DOM. + */ + protected Node node; + + /** + * The <code>Assertion</code> (root element) of the IdLink. + */ + protected AssertionType assertion; + + /** + * The citizen's asserted public keys. + */ + protected List<PublicKey> citizenPublicKeys; + + /** + * The XMLSignature. + */ + protected XMLSignature signature; + + /** + * The assertion's signer certificate. + */ + protected X509Certificate signerCert; + + /** + * Is the assertion's signature manifest valid? + */ + protected Boolean manifestValid; + + /** + * Is the assertion's signature valid? + */ + protected Boolean signatureValid; + + /** + * The personal identifier + */ + protected IdLinkPersonData personData; + + public IdLink(Element node, AssertionType assertion) throws JAXBException { + this.node = node; + this.assertion = assertion; + } + + public PhysicalPersonType getPhysicalPerson() { + + AttributeStatementType attributeStatement = getAttributeStatement(); + if (attributeStatement != null) { + JAXBElement<?> subjectConfirmation = attributeStatement.getSubject().getContent().get(0); + if (subjectConfirmation.getDeclaredType() == SubjectConfirmationType.class) { + Object data = ((SubjectConfirmationType) subjectConfirmation.getValue()) + .getSubjectConfirmationData().getContent().get(0); + if (data instanceof JAXBElement<?> + && ((JAXBElement<?>) data).getValue() instanceof PhysicalPersonType) { + return (PhysicalPersonType) ((JAXBElement<?>) data).getValue(); + } + } + } + + return null; + } + + public AttributeStatementType getAttributeStatement() { + + StatementAbstractType statement = + assertion.getStatementOrSubjectStatementOrAuthenticationStatement().get(0); + + if (statement instanceof AttributeStatementType) { + return (AttributeStatementType) statement; + } + + return null; + + } + + public IdLinkPersonData getPersonData() throws MarshalException { + if (personData == null) { + try { + personData = new IdLinkPersonData(getPhysicalPerson()); + } catch (ParseException e) { + throw new MarshalException(e); + } + } + return personData; + } + + public List<PublicKey> getCitizenPublicKeys() throws MarshalException { + if (citizenPublicKeys == null) { + + citizenPublicKeys = new ArrayList<PublicKey>(); + + AttributeStatementType attributeStatement = getAttributeStatement(); + if (attributeStatement != null) { + List<AttributeType> attributes = attributeStatement.getAttribute(); + for (AttributeType attribute : attributes) { + if ("urn:publicid:gv.at:namespaces:identitylink:1.2".equals(attribute.getAttributeNamespace()) + && "CitizenPublicKey".equals(attribute.getAttributeName())) { + List<AnyType> value = attribute.getAttributeValue(); + if (value.size() == 1 && value.get(0).getContent().size() == 1) { + Object object = value.get(0).getContent().get(0); + if (object instanceof Element) { + Element element = (Element) object; + DOMStructure structure = iaik.xml.crypto.dom.DOMStructure.getInstance(element, new DOMCryptoContext()); + if (structure instanceof KeyValueType) { + citizenPublicKeys.add(((KeyValueType) structure).getPublicKey()); + } + } + } + } + } + } + + } + return citizenPublicKeys; + } + + public XMLSignature getXMLSignature() throws MarshalException { + if (signature == null) { + + Node n = node.getLastChild(); + while (n != null && n.getNodeType() != Node.ELEMENT_NODE) { + n = n.getPreviousSibling(); + } + + if (n != null + && XMLSignature.XMLNS.equals(n.getNamespaceURI()) + && "Signature".equals(n.getLocalName())) { + + XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance(); + signature = signatureFactory.unmarshalXMLSignature(new DOMStructure(n)); + } + + + } + return signature; + } + + public X509Certificate getSignerCert() throws MarshalException { + if (signerCert == null) { + + if (getXMLSignature() != null) { + + KeyInfo keyInfo = signature.getKeyInfo(); + if (keyInfo != null) { + List<?> content = keyInfo.getContent(); + for (Object data : content) { + if (data instanceof X509Data) { + List<?> x509Data = ((X509Data) data).getContent(); + for (Object object : x509Data) { + if (object instanceof X509Certificate) { + signerCert = (X509Certificate) object; + return signerCert; + } + } + } + } + } + } + } + return signerCert; + } + + + @SuppressWarnings("unchecked") + public boolean verifySignature() throws MarshalException, XMLSignatureException { + if (signatureValid == null) { + if (getXMLSignature() != null && getSignerCert() != null) { + + DOMValidateContext validateContext = new DOMValidateContext(signerCert.getPublicKey(), node); + validateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE); + + signatureValid = signature.validate(validateContext); + + // logging + if (!signatureValid && log.isTraceEnabled()) { + List<Reference> references = signature.getSignedInfo().getReferences(); + for (Reference reference : references) { + if (!Manifest.TYPE.equals(reference.getType())) { + if (!reference.validate(validateContext)) { + InputStream digestInputStream = reference.getDigestInputStream(); + if (digestInputStream != null) { + try { + log.trace("SignedInfo's reference digest input:\n{}", + StreamUtil.asString(digestInputStream, "UTF-8")); + } catch (IOException e) { + log.info("Failed to get SignedInfos's reference digest input", e.toString()); + } + } + } else { + try { + log.trace("Signature canonicalized data:\n{}", StreamUtil.asString(signature + .getSignedInfo().getCanonicalizedData(), "UTF-8")); + } catch (IOException e) { + log.info("Failed to get canonicalized data.", e); + } + } + break; + } + } + } + + } + } + return signatureValid; + } + + @SuppressWarnings("unchecked") + public boolean verifyManifest() throws MarshalException, XMLSignatureException { + if (manifestValid == null) { + if (getXMLSignature() != null && getSignerCert() != null) { + + DOMValidateContext validateContext = new DOMValidateContext(signerCert.getPublicKey(), node); + if (log.isTraceEnabled()) { + // enable reference caching in trace log-level + validateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE); + } + boolean valid = false; + + // validate manifest + List<XMLObject> objects = signature.getObjects(); + for (XMLObject object : objects) { + List<?> content = object.getContent(); + if (content.get(0) instanceof Manifest) { + Manifest manifest = (Manifest) content.get(0); + List<Reference> references = manifest.getReferences(); + for (Reference reference : references) { + + valid = reference.validate(validateContext); + + // logging + if (!valid && log.isTraceEnabled()) { + InputStream digestInputStream = reference.getDigestInputStream(); + if (digestInputStream != null) { + try { + log.trace("Manifest's reference digest input:\n{}", + StreamUtil.asString(digestInputStream, "UTF-8")); + } catch (IOException e) { + log.info("Failed to get Manifest's reference digest input", e.toString()); + } + } + } + break; + } + } + } + + // validate reference to manifest + if (valid) { + List<Reference> references = signature.getSignedInfo().getReferences(); + for (Reference reference : references) { + if (Manifest.TYPE.equals(reference.getType())) { + + boolean refValid = reference.validate(validateContext); + + // logging + if (!refValid && log.isTraceEnabled()) { + InputStream digestInputStream = reference.getDigestInputStream(); + if (digestInputStream != null) { + try { + log.trace("SignedInfo's manifest reference digest input:\n{}", + StreamUtil.asString(digestInputStream, "UTF-8")); + } catch (IOException e) { + log.info("Failed to get SignedInfos's manifest reference digest input", e.toString()); + } + } + } + + valid &= refValid; + + } + } + } + + manifestValid = valid; + + } + + } + return manifestValid; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java new file mode 100644 index 00000000..12383861 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java @@ -0,0 +1,43 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +public class IdLinkException extends Exception { + + /** + * + */ + private static final long serialVersionUID = 1L; + + public IdLinkException() { + super(); + } + + public IdLinkException(String message, Throwable cause) { + super(message, cause); + } + + public IdLinkException(String message) { + super(message); + } + + public IdLinkException(Throwable cause) { + super(cause); + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java new file mode 100644 index 00000000..90312af3 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java @@ -0,0 +1,154 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.io.IOException; +import java.net.URL; + +import javax.xml.XMLConstants; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Unmarshaller; +import javax.xml.namespace.QName; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.Source; +import javax.xml.transform.stream.StreamSource; +import javax.xml.validation.Schema; +import javax.xml.validation.SchemaFactory; + +import oasis.names.tc.saml._1_0.assertion.AssertionType; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; + +public class IdLinkFactory { + + protected static Logger log = LoggerFactory.getLogger(IdLinkFactory.class); + + public static final String[] SCHEMA_FILES = new String[] { + "at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd", + "at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd", + "at/gv/egiz/mocca/id/idlschema/PersonData.xsd", + "at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd"}; + + private static class InstanceHolder { + private static final IdLinkFactory INSTANCE = new IdLinkFactory(); + } + + public static IdLinkFactory getInstance() { + return InstanceHolder.INSTANCE; + } + + static { +// InitDOMStructure.init(); + } + + private final Schema idlSchema; + + private final JAXBContext jaxbContext; + + + private IdLinkFactory() { + + try { + SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + Source[] sources = new Source[SCHEMA_FILES.length]; + for (int i = 0; i < SCHEMA_FILES.length; i++) { + String schemaFile = SCHEMA_FILES[i]; + URL schemaURL = cl.getResource(schemaFile); + if (schemaURL == null) { + throw new RuntimeException("Failed to load schema file " + schemaFile + "."); + } + log.debug("Schema location: " + schemaURL); + sources[i] = new StreamSource(schemaURL.openStream()); + } + idlSchema = schemaFactory.newSchema(sources); + } catch (IOException e) { + log.error("Failed to load identity link schema.", e); + throw new RuntimeException(e); + } catch (SAXException e) { + log.error("Failed to load identity link schema.", e); + throw new RuntimeException(e); + } + + StringBuffer packageNames = new StringBuffer(); + packageNames.append(at.gv.e_government.reference.namespace.persondata._20020228_.ObjectFactory.class.getPackage().getName()); + packageNames.append(":"); + packageNames.append(oasis.names.tc.saml._1_0.assertion.ObjectFactory.class.getPackage().getName()); + + try { + jaxbContext = JAXBContext.newInstance(packageNames.toString()); + } catch (JAXBException e) { + // we should not get an JAXBException initializing the JAXBContext + throw new RuntimeException(e); + } + + } + + public IdLink unmarshallIdLink(InputSource source) throws IdLinkException, + ParserConfigurationException, SAXException, IOException, JAXBException { + + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setNamespaceAware(true); + dbf.setSchema(idlSchema); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + + // http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization + try { + dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE); + } catch (IllegalArgumentException e) { + log.warn("Failed to disable schema normalization " + + "(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e); + } + + DocumentBuilder documentBuilder = dbf.newDocumentBuilder(); + Document doc = documentBuilder.parse(source); + + return unmarshallIdLink(doc.getDocumentElement()); + + } + + public IdLink unmarshallIdLink(Element element) throws IdLinkException, JAXBException { + + Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); + unmarshaller.setSchema(idlSchema); + + Object object = unmarshaller.unmarshal(element); + + IdLink idLink; + if (object instanceof JAXBElement<?> + && ((JAXBElement<?>) object).getDeclaredType() == AssertionType.class) { + idLink = new IdLink(element, (AssertionType) ((JAXBElement<?>) object).getValue()); + } else { + throw new IllegalArgumentException("Parameter node is not a " + + new QName("urn:oasis:names:tc:SAML:1.0:assertion", "Assertion")); + } + + return idLink; + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java new file mode 100644 index 00000000..493b92af --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java @@ -0,0 +1,88 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.security.Key; +import java.security.PublicKey; +import java.security.cert.X509Certificate; + +import javax.xml.crypto.AlgorithmMethod; +import javax.xml.crypto.KeySelector; +import javax.xml.crypto.KeySelectorException; +import javax.xml.crypto.KeySelectorResult; +import javax.xml.crypto.MarshalException; +import javax.xml.crypto.XMLCryptoContext; +import javax.xml.crypto.dsig.keyinfo.KeyInfo; +import javax.xml.crypto.dsig.keyinfo.X509Data; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class IdLinkKeySelector extends KeySelector { + + private static Logger log = LoggerFactory.getLogger(IdLinkKeySelector.class); + + private IdLink idLink; + + public IdLinkKeySelector(IdLink idLink) { + super(); + if (idLink == null) { + throw new NullPointerException("Parameter 'idLink' must not be null."); + } + this.idLink = idLink; + } + + @Override + public KeySelectorResult select(KeyInfo keyInfo, Purpose purpose, + AlgorithmMethod method, XMLCryptoContext context) + throws KeySelectorException { + + if (purpose != Purpose.VERIFY) { + throw new KeySelectorException("KeySelector does not support purpose " + + purpose + "."); + } + + try { + for (Object ki : keyInfo.getContent()) { + if (ki instanceof X509Data) { + for (Object xd : ((X509Data) ki).getContent()) { + if (xd instanceof X509Certificate) { + final PublicKey publicKey = ((X509Certificate) xd).getPublicKey(); + if (idLink.getCitizenPublicKeys().contains(publicKey)) { + log.trace("Found matching key {} in identiy link and KeyInfo.", publicKey); + return new KeySelectorResult() { + @Override + public Key getKey() { + return publicKey; + } + }; + } + } + } + } + } + } catch (MarshalException e) { + log.info("Failed to get public keys from identity link.", e); + throw new KeySelectorException(e); + } + + log.info("Did not find matching public keys in the identity link and the KeyInfo."); + return null; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java new file mode 100644 index 00000000..5b6f4453 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java @@ -0,0 +1,76 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.text.DateFormat; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.Date; + +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; + +public class IdLinkPersonData { + + private static final DateFormat DATE_FORMAT = new SimpleDateFormat("yyyy-MM-dd"); + + protected PersonalIdentifier identifier; + + protected String familyName; + + protected String givenName; + + protected Date dateOfBirth; + + public IdLinkPersonData(PhysicalPersonType physicalPerson) throws ParseException { + familyName = physicalPerson.getName().getFamilyName().get(0).getValue(); + givenName = physicalPerson.getName().getGivenName().get(0); + dateOfBirth = DATE_FORMAT.parse(physicalPerson.getDateOfBirth()); + IdentificationType identificationType = physicalPerson.getIdentification().get(0); + if (identificationType != null) { + identifier = new PersonalIdentifier(identificationType.getType(), + identificationType.getValue().getValue()); + } + } + + public String getGivenName() { + return givenName; + } + + public String getFamilyName() { + return familyName; + } + + public Date getDateOfBirth() throws ParseException { + return dateOfBirth; + } + + public PersonalIdentifier getIdentifier() { + return identifier; + } + + /* (non-Javadoc) + * @see java.lang.Object#toString() + */ + @Override + public String toString() { + return familyName + ", " + givenName + ", " + DATE_FORMAT.format(dateOfBirth); + } + + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java new file mode 100644 index 00000000..ad108dc2 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java @@ -0,0 +1,81 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import iaik.utils.Base64OutputStream; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +public class PersonalIdentifier { + + public static final String PREFIX = "urn:publicid:gv.at:"; + + public static final String BASE_ID = PREFIX + "baseid"; + + + protected String type; + + protected String value; + + public PersonalIdentifier(String type, String value) { + this.type = type; + this.value = value; + } + + /** + * @return the type + */ + public String getType() { + return type; + } + + /** + * @return the value + */ + public String getValue() { + return value; + } + + public PersonalIdentifier getDerivedValue(String domainId) { + + if (BASE_ID.equals(type)) { + try { + MessageDigest md = MessageDigest.getInstance("SHA"); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + Base64OutputStream bos = new Base64OutputStream(os); + bos.write(md.digest((value + '+' + domainId).getBytes("ISO-8859-1"))); + bos.flush(); + return new PersonalIdentifier(domainId, os.toString("ASCII")); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } catch (UnsupportedEncodingException e) { + throw new RuntimeException(e); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + return null; + + } + + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java new file mode 100644 index 00000000..8737d39c --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java @@ -0,0 +1,115 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.io.InputStream; +import java.io.StringWriter; +import java.text.DateFormat; +import java.text.ParseException; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.Locale; +import java.util.Map; + +import javax.xml.crypto.MarshalException; +import javax.xml.transform.Templates; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.stream.StreamResult; +import javax.xml.transform.stream.StreamSource; + +import at.gv.egiz.bku.slexceptions.SLRuntimeException; + +public class QESTemplates { + + private Map<String, Templates> templatesMap = Collections.synchronizedMap(new HashMap<String, Templates>()); + + private synchronized Templates getTemplates(String id) { + + Templates templates = templatesMap.get(id); + if (templates == null) { + templates = loadTemplates(id); + templatesMap.put(id, templates); + } + return templates; + + } + + protected Templates loadTemplates(String id) { + + InputStream xsl = QESTemplates.class.getResourceAsStream("/templates/template.xsl"); + if (xsl == null) { + throw new IllegalArgumentException("Template not found."); + } + TransformerFactory transformerFactory = TransformerFactory.newInstance(); + try { + return transformerFactory.newTemplates(new StreamSource(xsl)); + } catch (TransformerConfigurationException e) { + throw new SLRuntimeException(e); + } + + } + + public String createQESTemplate(String id, Locale locale, IdLink idLink, String url, PersonalIdentifier derivedIdentifier, Date dateTime) { + + Templates templates = getTemplates(id); + try { + Transformer transformer = templates.newTransformer(); + + DateFormat dateFormat = DateFormat.getDateInstance(DateFormat.MEDIUM, locale); + DateFormat timeFormat = DateFormat.getTimeInstance(DateFormat.MEDIUM, locale); + + IdLinkPersonData personData = idLink.getPersonData(); + + transformer.setParameter("givenName", personData.getGivenName()); + transformer.setParameter("familyName", personData.getFamilyName()); + transformer.setParameter("dateOfBirth", dateFormat.format(personData.getDateOfBirth())); + + transformer.setParameter("url", url); + transformer.setParameter("identifierType", derivedIdentifier.getType()); + transformer.setParameter("identifierValue", derivedIdentifier.getValue()); + + transformer.setParameter("date", dateFormat.format(dateTime)); + transformer.setParameter("time", timeFormat.format(dateTime)); + + + StringWriter writer = new StringWriter(); + transformer.transform(new StreamSource(), new StreamResult(writer)); + + + return writer.toString(); + } catch (TransformerConfigurationException e) { + throw new SLRuntimeException(e); + } catch (TransformerException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (MarshalException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (ParseException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + return null; + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java new file mode 100644 index 00000000..9a71b32f --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java @@ -0,0 +1,44 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.util.Collections; +import java.util.Set; + +import at.gv.egiz.bku.binding.AbstractBindingProcessorFactory; +import at.gv.egiz.bku.binding.BindingProcessor; +import at.gv.egiz.bku.binding.BindingProcessorFactory; +import at.gv.egiz.bku.utils.binding.Protocol; + +public class SAMLBindingProcessorFactory extends AbstractBindingProcessorFactory implements BindingProcessorFactory { + + private Set<Protocol> supportedProtocols = Collections.singleton(Protocol.SAML); + + @Override + public Set<Protocol> getSupportedProtocols() { + return supportedProtocols; + } + + @Override + public BindingProcessor createBindingProcessor() { + SAMLBindingProcessorImpl bindingProcessor = new SAMLBindingProcessorImpl(); + configureBindingProcessor(bindingProcessor); + return bindingProcessor; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java new file mode 100644 index 00000000..ce4ac425 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java @@ -0,0 +1,357 @@ +/* + * Copyright 2009 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package at.gv.egiz.mocca.id; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.nio.charset.Charset; +import java.util.Collections; +import java.util.Date; +import java.util.Iterator; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletResponse; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.crypto.MarshalException; +import javax.xml.crypto.dsig.XMLSignature; +import javax.xml.crypto.dsig.XMLSignatureException; +import javax.xml.crypto.dsig.XMLSignatureFactory; +import javax.xml.crypto.dsig.dom.DOMValidateContext; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import at.buergerkarte.namespaces.securitylayer._1.AnyChildrenType; +import at.buergerkarte.namespaces.securitylayer._1.Base64XMLLocRefOptRefContentType; +import at.buergerkarte.namespaces.securitylayer._1.CreateXMLSignatureRequestType; +import at.buergerkarte.namespaces.securitylayer._1.DataObjectInfoType; +import at.buergerkarte.namespaces.securitylayer._1.InfoboxReadParamsBinaryFileType; +import at.buergerkarte.namespaces.securitylayer._1.InfoboxReadRequestType; +import at.buergerkarte.namespaces.securitylayer._1.MetaInfoType; +import at.buergerkarte.namespaces.securitylayer._1.ObjectFactory; +import at.buergerkarte.namespaces.securitylayer._1.TransformsInfoType; +import at.gv.egiz.bku.binding.FormParameter; +import at.gv.egiz.bku.binding.HTTPBindingProcessor; +import at.gv.egiz.bku.binding.HttpUtil; +import at.gv.egiz.bku.binding.InputDecoder; +import at.gv.egiz.bku.binding.InputDecoderFactory; +import at.gv.egiz.bku.slcommands.CreateXMLSignatureResult; +import at.gv.egiz.bku.slcommands.ErrorResult; +import at.gv.egiz.bku.slcommands.InfoboxReadResult; +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slcommands.SLCommandFactory; +import at.gv.egiz.bku.slcommands.SLResult; +import at.gv.egiz.bku.slexceptions.SLCommandException; +import at.gv.egiz.bku.slexceptions.SLVersionException; + +public class SAMLBindingProcessorImpl extends + AbstractCommandSequenceBindingProcessor implements HTTPBindingProcessor { + + private static final Logger log = LoggerFactory + .getLogger(SAMLBindingProcessorImpl.class); + + private String requestContentType; + + private String domainIdentifier = "urn:publicid:gv.at:wbpk+FN+468924i"; + + private String keyBoxIdentifier = "SecureSignatureKeypair"; + + private String url = "www.egiz.gv.at"; + + private QESTemplates templates = new QESTemplates(); + + private IdLink idLink; + + private Element signature; + + private SLResult errorResponse; + + @Override + protected void processResult(SLResult result) { + if (result instanceof ErrorResult) { + ErrorResult errorResult = (ErrorResult) result; + log.info("Got ErrorResponse {}: {}", errorResult.getErrorCode(), + errorResult.getInfo()); + errorResponse = result; + return; + } else if (result instanceof InfoboxReadResult) { + try { + processInfoboxReadResult((InfoboxReadResult) result); + if (idLink != null) { + try { + IdLinkPersonData personData = idLink.getPersonData(); + log.info("Got idLink for {}.", personData); + } catch (MarshalException e) { + log.info("Failed to unmarshal idLink."); + } + } + } catch (JAXBException e) { + log.info("InfoboxReadResult contains unexpected data.", e); + errorResponse = result; + } catch (IdLinkException e) { + log.info("InfoboxReadResult contains invalid identity link.", e); + errorResponse = result; + } + } else if (result instanceof CreateXMLSignatureResult) { + signature = ((CreateXMLSignatureResult) result).getContent(); + log.info("Got signature."); + boolean valid = validate(signature) && validate(idLink); + log.info("Signature is valid: " + valid); + } + } + + @Override + protected SLCommand getNextCommand() { + + JAXBElement<?> request = null; + if (errorResponse == null) { + if (idLink == null) { + request = createReadInfoboxRequest(domainIdentifier); + } else if (signature == null) { + request = createXMLSignatureRequest(); + } + } + + if (request != null) { + SLCommandFactory commandFactory = SLCommandFactory.getInstance(); + try { + return commandFactory.createSLCommand(request); + } catch (SLCommandException e) { + log.error("Failed to create SLCommand.", e); + setError(e); + } catch (SLVersionException e) { + log.error("Failed to create SLCommand.", e); + setError(e); + } + } + + return null; + } + + protected void processInfoboxReadResult(InfoboxReadResult result) + throws JAXBException, IdLinkException { + + Object object = result.getContent(); + if (object instanceof byte[]) { + log.info("InfoboxReadResult contains unexpected binary data."); + errorResponse = result; + return; + } else if (object instanceof List<?>) { + JAXBException exception = null; + for (Object content : (List<?>) object) { + if (content instanceof Element) { + try { + idLink = IdLinkFactory.getInstance().unmarshallIdLink( + (Element) content); + return; + } catch (JAXBException e) { + exception = e; + } + } + } + if (exception != null) { + throw exception; + } + } + + } + + @Override + public void setHTTPHeaders(Map<String, String> headerMap) { + for (String header : headerMap.keySet()) { + if (HttpUtil.HTTP_HEADER_CONTENT_TYPE.equalsIgnoreCase(header)) { + requestContentType = headerMap.get(header); + } + } + } + + @Override + public void consumeRequestStream(String url, InputStream is) { + InputDecoder inputDecoder = InputDecoderFactory.getDecoder( + requestContentType, is); + Iterator<FormParameter> fpi = inputDecoder.getFormParameterIterator(); + while (fpi.hasNext()) { + FormParameter formParameter = fpi.next(); + if ("BKUUrl".equals(formParameter.getFormParameterName())) { + setExternal(true); + } + } + } + + @Override + public String getResultContentType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void writeResultTo(OutputStream os, String encoding) + throws IOException { + // TODO Auto-generated method stub + + } + + protected JAXBElement<InfoboxReadRequestType> createReadInfoboxRequest( + String domainIdentifier) { + + ObjectFactory factory = new ObjectFactory(); + + InfoboxReadRequestType infoboxReadRequestType = factory + .createInfoboxReadRequestType(); + infoboxReadRequestType.setInfoboxIdentifier("IdentityLink"); + + InfoboxReadParamsBinaryFileType infoboxReadParamsBinaryFileType = factory + .createInfoboxReadParamsBinaryFileType(); + infoboxReadParamsBinaryFileType.setContentIsXMLEntity(true); + infoboxReadRequestType + .setBinaryFileParameters(infoboxReadParamsBinaryFileType); + + if (domainIdentifier != null) { + JAXBElement<String> identityLinkDomainIdentifier = factory + .createIdentityLinkDomainIdentifier(domainIdentifier); + AnyChildrenType anyChildrenType = factory.createAnyChildrenType(); + anyChildrenType.getAny().add(identityLinkDomainIdentifier); + + infoboxReadRequestType.setBoxSpecificParameters(anyChildrenType); + } + + return factory.createInfoboxReadRequest(infoboxReadRequestType); + + } + + protected JAXBElement<CreateXMLSignatureRequestType> createXMLSignatureRequest() { + + ObjectFactory factory = new ObjectFactory(); + + CreateXMLSignatureRequestType createXMLSignatureRequest = factory + .createCreateXMLSignatureRequestType(); + createXMLSignatureRequest.setKeyboxIdentifier(keyBoxIdentifier); + + DataObjectInfoType dataObjectInfoType = factory.createDataObjectInfoType(); + dataObjectInfoType.setStructure("enveloping"); + + TransformsInfoType transformsInfoType = factory.createTransformsInfoType(); + MetaInfoType metaInfoType = factory.createMetaInfoType(); + metaInfoType.setMimeType("application/xhtml+xml"); + transformsInfoType.setFinalDataMetaInfo(metaInfoType); + + dataObjectInfoType.getTransformsInfo().add(transformsInfoType); + + Base64XMLLocRefOptRefContentType contentType = factory + .createBase64XMLLocRefOptRefContentType(); + + PersonalIdentifier identifier; + try { + identifier = idLink.getPersonData().getIdentifier(); + } catch (MarshalException e) { + setError(e); + return null; + } + if ("urn:publicid:gv.at:baseid".equals(identifier.getType())) { + identifier = identifier.getDerivedValue(domainIdentifier); + } + String template = templates.createQESTemplate("test", locale, idLink, "", + identifier, new Date()); + + contentType.setBase64Content(template.getBytes(Charset.forName("UTF-8"))); + + dataObjectInfoType.setDataObject(contentType); + + createXMLSignatureRequest.getDataObjectInfo().add(dataObjectInfoType); + + return factory.createCreateXMLSignatureRequest(createXMLSignatureRequest); + + } + + protected boolean validate(IdLink idLink) { + try { + if (domainIdentifier != null && domainIdentifier.startsWith("urn:publicid:gv.at:ccid")) { + if (!idLink.verifyManifest()) { + log.info("Identity link manifest verification failed."); + return false; + } + } + if (idLink.verifySignature()) { + return true; + } + } catch (MarshalException e) { + log.info("Identity link signature verification failed.", e); + } catch (XMLSignatureException e) { + log.info("Identity link signature verification failed.", e); + } + log.info("Identity link signature verification failed."); + return false; + } + + + protected boolean validate(Element signature) { + + Document doc = signature.getOwnerDocument(); + if (signature != signature.getOwnerDocument().getDocumentElement()) { + doc.replaceChild(signature, doc.getDocumentElement()); + } + + XMLSignatureFactory xmlSignatureFactory = XMLSignatureFactory.getInstance(); + + try { + IdLinkKeySelector keySelector = new IdLinkKeySelector(idLink); + DOMValidateContext validateContext = new DOMValidateContext(keySelector, signature); + + XMLSignature xmlSignature = xmlSignatureFactory + .unmarshalXMLSignature(validateContext); + + return xmlSignature.validate(validateContext); + } catch (MarshalException e) { + log.info("Failed to unmarshall signature.", e); + } catch (XMLSignatureException e) { + log.info("Failed to validate signature.", e); + } + return false; + } + + @Override + public InputStream getFormData(String parameterName) { + if ("appletPage".equals(parameterName)) { + String appletPage = (isExternal()) ? "local.jsp" : "applet.jsp"; + return new ByteArrayInputStream(appletPage.getBytes()); + } + return null; + } + + @Override + public String getRedirectURL() { + return null; + } + + @Override + public int getResponseCode() { + return HttpServletResponse.SC_OK; + } + + @Override + public Map<String, String> getResponseHeaders() { + return Collections.emptyMap(); + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java new file mode 100644 index 00000000..0209ca79 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java @@ -0,0 +1,33 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import javax.servlet.http.HttpServletRequest; + +import at.gv.egiz.bku.online.webapp.AbstractWebRequestHandler; + +public class SAMLRequestHandler extends AbstractWebRequestHandler { + + private static final long serialVersionUID = 1L; + + @Override + protected String getRequestProtocol(HttpServletRequest req) { + return "SAML"; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java new file mode 100644 index 00000000..2e46a220 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java @@ -0,0 +1,100 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slcommands.SLCommandContext; +import at.gv.egiz.bku.slcommands.SLResult; +import at.gv.egiz.bku.slcommands.impl.ErrorResultImpl; +import at.gv.egiz.bku.slexceptions.SLCommandException; + +public class SLCommandBrocker { + + private Sync<SLCommand> commandSync = new Sync<SLCommand>(); + + private Sync<SLResult> resultSync = new Sync<SLResult>(); + + public SLResult execute(SLCommand command, SLCommandContext context, long timeout) throws InterruptedException { + try { + commandSync.put(command, timeout); + if (command != null) { + return resultSync.get(timeout); + } else { + return null; + } + } catch (SLCommandException e) { + return new ErrorResultImpl(e, context.getLocale()); + } + } + + public SLCommand nextCommand(SLResult result, long timeout) throws SLCommandException, InterruptedException { + if (result != null) { + resultSync.put(result, timeout); + } + return commandSync.get(timeout); + } + + public class Sync<R> { + + private boolean available; + + private R r; + + public synchronized R get(long timeout) throws SLCommandException, InterruptedException { + + long t0 = System.currentTimeMillis(); + long elapsed = 0; + + while (!available) { + wait(timeout - elapsed); + elapsed = System.currentTimeMillis() - t0; + if (elapsed > timeout) { + notifyAll(); + throw new SLCommandException(6000); + } + } + + R r = this.r; + this.r = null; + available = false; + notifyAll(); + return r; + } + + public synchronized void put(R r, long timeout) throws SLCommandException, InterruptedException { + + long t0 = System.currentTimeMillis(); + long elapsed = 0; + + while (available) { + wait(timeout - elapsed); + elapsed = System.currentTimeMillis() - t0; + if (elapsed > timeout) { + notifyAll(); + throw new SLCommandException(6000); + } + } + + this.r = r; + available = true; + notifyAll(); + } + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java index 305d8c1c..5940f505 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java @@ -19,27 +19,50 @@ package at.gv.egiz.stal.service.impl; import java.util.Locale; +import org.apache.commons.configuration.Configuration; + +import at.gv.egiz.bku.conf.MoccaConfigurationFacade; +import at.gv.egiz.bku.jmx.ComponentMXBean; +import at.gv.egiz.bku.jmx.ComponentState; import at.gv.egiz.stal.STAL; import at.gv.egiz.stal.STALFactory; /** * - * @author clemens + * @author clemens, mcentner */ -public class RequestBrokerSTALFactory implements STALFactory { - - private static long timeout = -1; +public class RequestBrokerSTALFactory implements STALFactory, ComponentMXBean { - @Override - public STAL createSTAL() { - return new STALRequestBrokerImpl(timeout); - } + public final ConfigurationFacade configurationFacade = new ConfigurationFacade(); + + public class ConfigurationFacade implements MoccaConfigurationFacade { + + private Configuration configuration; + + public static final String APPLET_TIMEOUT = "AppletTimeout"; - @Override - public void setLocale(Locale locale) { + public int getAppletTimeout() { + return configuration.getInteger(APPLET_TIMEOUT, -1); } + + } + + public void setConfiguration(Configuration configuration) { + configurationFacade.configuration = configuration; + } + + @Override + public STAL createSTAL() { + return new STALRequestBrokerImpl(configurationFacade.getAppletTimeout()); + } + + @Override + public void setLocale(Locale locale) { + } + + @Override + public ComponentState checkComponentState() { + return new ComponentState(true); + } - public static void setTimeout(long millisec) { - timeout = millisec; - } } diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java index a2447ab7..5705a9f7 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java @@ -34,8 +34,8 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; import javax.xml.bind.JAXBElement; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * An instance of STALRequestBroker is shared between a producer thread (SLCommand) @@ -50,7 +50,7 @@ import org.apache.commons.logging.LogFactory; */ public class STALRequestBrokerImpl implements STALRequestBroker { - private static final Log log = LogFactory.getLog(STALRequestBrokerImpl.class); + private final Logger log = LoggerFactory.getLogger(STALRequestBrokerImpl.class); private ObjectFactory of = new ObjectFactory(); private STALTranslator translator = new STALTranslator(); @@ -173,7 +173,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("waiting to consume response"); responses.wait(timeout); if (System.currentTimeMillis() - beforeWait >= timeout) { - log.warn("timeout while waiting to consume response, cleanup requests"); + log.warn("Timeout while waiting to consume response, cleanup requests."); requests.clear(); hashDataInputs.clear(); return Collections.singletonList((STALResponse) new ErrorResponse(ERR_4500)); @@ -218,7 +218,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("waiting to consume request"); requests.wait(timeout); if (System.currentTimeMillis() - beforeWait >= timeout) { - log.warn("timeout while waiting to consume request"); + log.warn("Timeout while waiting to consume request."); return createSingleQuitRequest(); } } @@ -250,11 +250,11 @@ public class STALRequestBrokerImpl implements STALRequestBroker { } try { synchronized (requests) { - log.trace("received responses, now consume request"); + log.trace("Received responses, now consume request."); if (requests.size() != 0) { requests.clear(); } else { - log.warn("requests queue is empty, response might have already been produced previously "); + log.warn("Requests queue is empty, response might have already been produced previously."); // return QUIT? } } @@ -266,7 +266,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("waiting to produce response"); responses.wait(timeout); if (System.currentTimeMillis() - beforeWait >= timeout) { - log.warn("timeout while waiting to produce response"); + log.warn("Timeout while waiting to produce response."); return createSingleQuitRequest(); } } @@ -281,7 +281,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("notifying response consumers"); responses.notify(); } else { - log.error("Received NextRequest without responses, return QUIT"); + log.error("Received NextRequest without responses, return QUIT."); return createSingleQuitRequest(); } } @@ -292,11 +292,11 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("waiting to consume request"); requests.wait(timeout); if (System.currentTimeMillis() - beforeWait >= timeout) { - log.warn("timeout while waiting to consume request"); + log.warn("Timeout while waiting to consume request."); return createSingleQuitRequest(); } } - log.trace("don't consume request now, but on next response delivery"); + log.trace("Don't consume request now, but on next response delivery."); return requests; } } catch (InterruptedException ex) { @@ -309,7 +309,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { @Override public List<HashDataInput> getHashDataInput() { synchronized (requests) { - log.trace("return " + hashDataInputs.size() + " current HashDataInput(s) "); + log.trace("Return {} current HashDataInput(s).", hashDataInputs.size()); return hashDataInputs; } } diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java index c8ab280f..e32dad8f 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java @@ -16,13 +16,30 @@ */ package at.gv.egiz.stal.service.impl; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.annotation.Resource; +import javax.jws.WebService; +import javax.servlet.ServletContext; +import javax.xml.bind.JAXBElement; +import javax.xml.ws.WebServiceContext; +import javax.xml.ws.handler.MessageContext; + +import org.slf4j.MDC; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import at.buergerkarte.namespaces.cardchannel.service.CommandAPDUType; import at.buergerkarte.namespaces.cardchannel.service.ScriptType; import at.gv.egiz.bku.binding.BindingProcessor; import at.gv.egiz.bku.binding.BindingProcessorManager; import at.gv.egiz.bku.binding.Id; import at.gv.egiz.bku.binding.IdFactory; - import at.gv.egiz.stal.HashDataInput; import at.gv.egiz.stal.service.GetHashDataInputFault; import at.gv.egiz.stal.service.STALPortType; @@ -38,25 +55,8 @@ import at.gv.egiz.stal.service.types.RequestType; import at.gv.egiz.stal.service.types.ResponseType; import at.gv.egiz.stal.service.types.SignRequestType; import at.gv.egiz.stal.service.types.GetHashDataInputType.Reference; -//import at.gv.egiz.stal.service.types.GetHashDataInputResponseType.Reference; import com.sun.xml.ws.developer.UsesJAXBContext; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.nio.charset.Charset; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import javax.annotation.Resource; -import javax.jws.WebService; -import javax.servlet.ServletContext; -import javax.xml.bind.JAXBElement; -import javax.xml.ws.WebServiceContext; -import javax.xml.ws.handler.MessageContext; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; /** * @@ -68,10 +68,10 @@ public class STALServiceImpl implements STALPortType { public static final String BINDING_PROCESSOR_MANAGER = "bindingProcessorManager"; public static final Id TEST_SESSION_ID = IdFactory.getInstance().createId("TestSession"); - protected static final Log log = LogFactory.getLog(STALServiceImpl.class); - + private final Logger log = LoggerFactory.getLogger(STALServiceImpl.class); static { + Logger log = LoggerFactory.getLogger(STALServiceImpl.class); if (log.isTraceEnabled()) { log.trace("enabling webservice communication dump"); System.setProperty("com.sun.xml.ws.transport.http.HttpAdapter.dump", "true"); @@ -91,227 +91,242 @@ public class STALServiceImpl implements STALPortType { public GetNextRequestResponseType connect(String sessId) { if (sessId == null) { - throw new NullPointerException("No session id provided"); + throw new NullPointerException("No session id provided."); } Id sessionId = idF.createId(sessId); + MDC.put("id", sessionId.toString()); - if (log.isDebugEnabled()) { - log.debug("Received Connect [" + sessionId + "]"); - } - - if (TEST_SESSION_ID.equals(sessionId)) { - return getTestSessionNextRequestResponse(null); - } - - GetNextRequestResponseType response = new GetNextRequestResponseType(); - response.setSessionId(sessionId.toString()); - - STALRequestBroker stal = getStal(sessionId); - - if (stal != null) { - - List<JAXBElement<? extends RequestType>> requestsOut = ((STALRequestBroker) stal).connect(); - response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut); - - if (log.isDebugEnabled()) { - StringBuilder sb = new StringBuilder("Returning initial GetNextRequestResponse ["); - sb.append(sessionId.toString()); - sb.append("] containing "); - sb.append(requestsOut.size()); - sb.append(" requests: "); - for (JAXBElement<? extends RequestType> reqOut : requestsOut) { - sb.append(reqOut.getValue().getClass()); - sb.append(' '); + try { + log.debug("Received Connect."); + + if (TEST_SESSION_ID.equals(sessionId)) { + return getTestSessionNextRequestResponse(null); + } + + GetNextRequestResponseType response = new GetNextRequestResponseType(); + response.setSessionId(sessionId.toString()); + + STALRequestBroker stal = getStal(sessionId); + + if (stal != null) { + + List<JAXBElement<? extends RequestType>> requestsOut = ((STALRequestBroker) stal).connect(); + response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut); + + if (log.isDebugEnabled()) { + StringBuilder sb = new StringBuilder("Returning initial GetNextRequestResponse containing "); + sb.append(requestsOut.size()); + sb.append(" requests: "); + for (JAXBElement<? extends RequestType> reqOut : requestsOut) { + sb.append(reqOut.getValue().getClass()); + sb.append(' '); + } + log.debug(sb.toString()); } - log.debug(sb.toString()); + } else { + log.error("Failed to get STAL, returning QuitRequest."); + QuitRequestType quitT = stalObjFactory.createQuitRequestType(); + JAXBElement<QuitRequestType> quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT); + response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit); } - } else { - log.error("Failed to get STAL for session " + sessionId + ", returning QuitRequest"); - QuitRequestType quitT = stalObjFactory.createQuitRequestType(); - JAXBElement<QuitRequestType> quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT); - response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit); + return response; + + } finally { + MDC.remove("id"); } - return response; } @Override public GetNextRequestResponseType getNextRequest(GetNextRequestType request) { if (request.getSessionId() == null) { - throw new NullPointerException("No session id provided"); + throw new NullPointerException("No session id provided."); } Id sessionId = idF.createId(request.getSessionId()); + MDC.put("id", sessionId.toString()); - List<JAXBElement<? extends ResponseType>> responsesIn = request.getInfoboxReadResponseOrSignResponseOrErrorResponse(); -// List<ResponseType> responsesIn = request.getInfoboxReadResponseOrSignResponseOrErrorResponse();//getResponse(); + try { - if (log.isDebugEnabled()) { - StringBuilder sb = new StringBuilder("Received GetNextRequest ["); - sb.append(sessionId.toString()); - sb.append("] containing "); - sb.append(responsesIn.size()); - sb.append(" responses: "); - for (JAXBElement<? extends ResponseType> respIn : responsesIn) { - sb.append(respIn.getValue().getClass()); - sb.append(' '); - } - log.debug(sb.toString()); - } - - if (TEST_SESSION_ID.equals(sessionId)) { - return getTestSessionNextRequestResponse(responsesIn); - } - - GetNextRequestResponseType response = new GetNextRequestResponseType(); - response.setSessionId(sessionId.toString()); - - STALRequestBroker stal = getStal(sessionId); - - if (stal != null) { - - List<JAXBElement<? extends RequestType>> requestsOut = ((STALRequestBroker) stal).nextRequest(responsesIn); - response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut); + List<JAXBElement<? extends ResponseType>> responsesIn = request.getInfoboxReadResponseOrSignResponseOrErrorResponse(); if (log.isDebugEnabled()) { - StringBuilder sb = new StringBuilder("Returning GetNextRequestResponse ["); - sb.append(sessionId.toString()); - sb.append("] containing "); - sb.append(requestsOut.size()); - sb.append(" requests: "); - for (JAXBElement<? extends RequestType> reqOut : requestsOut) { - sb.append(reqOut.getValue().getClass()); + StringBuilder sb = new StringBuilder("Received GetNextRequest containing "); + sb.append(responsesIn.size()); + sb.append(" responses: "); + for (JAXBElement<? extends ResponseType> respIn : responsesIn) { + sb.append(respIn.getValue().getClass()); sb.append(' '); } log.debug(sb.toString()); } - } else { - log.error("Failed to get STAL for session " + sessionId + ", returning QuitRequest"); - QuitRequestType quitT = stalObjFactory.createQuitRequestType(); - JAXBElement<QuitRequestType> quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT); - response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit); + + if (TEST_SESSION_ID.equals(sessionId)) { + return getTestSessionNextRequestResponse(responsesIn); + } + + GetNextRequestResponseType response = new GetNextRequestResponseType(); + response.setSessionId(sessionId.toString()); + + STALRequestBroker stal = getStal(sessionId); + + if (stal != null) { + + List<JAXBElement<? extends RequestType>> requestsOut = ((STALRequestBroker) stal).nextRequest(responsesIn); + response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut); + + if (log.isDebugEnabled()) { + StringBuilder sb = new StringBuilder("Returning GetNextRequestResponse containing "); + sb.append(requestsOut.size()); + sb.append(" requests: "); + for (JAXBElement<? extends RequestType> reqOut : requestsOut) { + sb.append(reqOut.getValue().getClass()); + sb.append(' '); + } + log.debug(sb.toString()); + } + } else { + log.error("Failed to get STAL, returning QuitRequest."); + QuitRequestType quitT = stalObjFactory.createQuitRequestType(); + JAXBElement<QuitRequestType> quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT); + response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit); + } + return response; + + } finally { + MDC.remove("id"); } - return response; } @Override public GetHashDataInputResponseType getHashDataInput(GetHashDataInputType request) throws GetHashDataInputFault { if (request.getSessionId() == null) { - throw new NullPointerException("No session id provided"); + throw new NullPointerException("No session id provided."); } Id sessionId = idF.createId(request.getSessionId()); + MDC.put("id", sessionId.toString()); - if (log.isDebugEnabled()) { - log.debug("Received GetHashDataInputRequest for session " + sessionId + " containing " + request.getReference().size() + " reference(s)"); - } - - if (TEST_SESSION_ID.equals(sessionId)) { - return getTestSessionHashDataInputResponse(request.getReference()); - } - - GetHashDataInputResponseType response = new GetHashDataInputResponseType(); - response.setSessionId(sessionId.toString()); - - STALRequestBroker stal = getStal(sessionId); - - if (stal != null) { - List<HashDataInput> hashDataInputs = stal.getHashDataInput(); - - if (hashDataInputs != null) { - - Map<String, HashDataInput> hashDataIdMap = new HashMap<String, HashDataInput>(); - for (HashDataInput hdi : hashDataInputs) { - if (log.isTraceEnabled()) { - log.trace("Provided HashDataInput for reference " + hdi.getReferenceId()); - } - hashDataIdMap.put(hdi.getReferenceId(), hdi); - } - - List<GetHashDataInputType.Reference> reqRefs = request.getReference(); - for (GetHashDataInputType.Reference reqRef : reqRefs) { - String reqRefId = reqRef.getID(); - HashDataInput reqHdi = hashDataIdMap.get(reqRefId); - if (reqHdi == null) { - String msg = "Failed to resolve HashDataInput for reference " + reqRefId; - log.error(msg); - GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); - faultInfo.setErrorCode(1); - faultInfo.setErrorMessage(msg); - throw new GetHashDataInputFault(msg, faultInfo); - } - - InputStream hashDataIS = reqHdi.getHashDataInput(); - if (hashDataIS == null) { - //HashDataInput not cached? - String msg = "Failed to obtain HashDataInput for reference " + reqRefId + ", reference not cached"; - log.error(msg); - GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); - faultInfo.setErrorCode(1); - faultInfo.setErrorMessage(msg); - throw new GetHashDataInputFault(msg, faultInfo); + try { + + if (log.isDebugEnabled()) { + log.debug("Received GetHashDataInputRequest containing {} reference(s).", request.getReference().size()); + } + + if (TEST_SESSION_ID.equals(sessionId)) { + return getTestSessionHashDataInputResponse(request.getReference()); + } + + GetHashDataInputResponseType response = new GetHashDataInputResponseType(); + response.setSessionId(sessionId.toString()); + + STALRequestBroker stal = getStal(sessionId); + + if (stal != null) { + List<HashDataInput> hashDataInputs = stal.getHashDataInput(); + + if (hashDataInputs != null) { + + Map<String, HashDataInput> hashDataIdMap = new HashMap<String, HashDataInput>(); + for (HashDataInput hdi : hashDataInputs) { + if (log.isTraceEnabled()) { + log.trace("Provided HashDataInput for reference {}.", hdi.getReferenceId()); + } + hashDataIdMap.put(hdi.getReferenceId(), hdi); } - ByteArrayOutputStream baos = null; - try { - if (log.isDebugEnabled()) { - log.debug("Resolved HashDataInput " + reqRefId + " (" + reqHdi.getMimeType() + ";charset=" + reqHdi.getEncoding() + ")"); + + List<GetHashDataInputType.Reference> reqRefs = request.getReference(); + for (GetHashDataInputType.Reference reqRef : reqRefs) { + String reqRefId = reqRef.getID(); + HashDataInput reqHdi = hashDataIdMap.get(reqRefId); + if (reqHdi == null) { + String msg = "Failed to resolve HashDataInput for reference " + reqRefId; + log.error(msg); + GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); + faultInfo.setErrorCode(1); + faultInfo.setErrorMessage(msg); + throw new GetHashDataInputFault(msg, faultInfo); } - baos = new ByteArrayOutputStream(hashDataIS.available()); - int c; - while ((c = hashDataIS.read()) != -1) { - baos.write(c); + + InputStream hashDataIS = reqHdi.getHashDataInput(); + if (hashDataIS == null) { + //HashDataInput not cached? + String msg = "Failed to obtain HashDataInput for reference " + reqRefId + ", reference not cached"; + log.error(msg); + GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); + faultInfo.setErrorCode(1); + faultInfo.setErrorMessage(msg); + throw new GetHashDataInputFault(msg, faultInfo); } - GetHashDataInputResponseType.Reference ref = new GetHashDataInputResponseType.Reference(); - ref.setID(reqRefId); - ref.setMimeType(reqHdi.getMimeType()); - ref.setEncoding(reqHdi.getEncoding()); - ref.setFilename(reqHdi.getFilename()); - ref.setValue(baos.toByteArray()); - response.getReference().add(ref); - } catch (IOException ex) { - String msg = "Failed to get HashDataInput for reference " + reqRefId; - log.error(msg, ex); - GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); - faultInfo.setErrorCode(1); - faultInfo.setErrorMessage(msg); - throw new GetHashDataInputFault(msg, faultInfo, ex); - } finally { + ByteArrayOutputStream baos = null; try { - baos.close(); + if (log.isDebugEnabled()) { + Object[] args = {reqRefId, reqHdi.getMimeType(), reqHdi.getEncoding()}; + log.debug("Resolved HashDataInput {} ({};charset={}).", args); + } + baos = new ByteArrayOutputStream(hashDataIS.available()); + int c; + while ((c = hashDataIS.read()) != -1) { + baos.write(c); + } + GetHashDataInputResponseType.Reference ref = new GetHashDataInputResponseType.Reference(); + ref.setID(reqRefId); + ref.setMimeType(reqHdi.getMimeType()); + ref.setEncoding(reqHdi.getEncoding()); + ref.setFilename(reqHdi.getFilename()); + ref.setValue(baos.toByteArray()); + response.getReference().add(ref); } catch (IOException ex) { + String msg = "Failed to get HashDataInput for reference " + reqRefId; + log.error(msg, ex); + GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); + faultInfo.setErrorCode(1); + faultInfo.setErrorMessage(msg); + throw new GetHashDataInputFault(msg, faultInfo, ex); + } finally { + try { + baos.close(); + } catch (IOException ex) { + } } } + return response; + } else { + String msg = "Failed to resolve any HashDataInputs."; + log.error(msg); + GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); + faultInfo.setErrorCode(1); + faultInfo.setErrorMessage(msg); + throw new GetHashDataInputFault(msg, faultInfo); } - return response; } else { - String msg = "Failed to resolve any HashDataInputs for session " + sessionId; + String msg = "Session timeout."; //Failed to get STAL for session " + sessionId; log.error(msg); GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); faultInfo.setErrorCode(1); faultInfo.setErrorMessage(msg); throw new GetHashDataInputFault(msg, faultInfo); } - } else { - String msg = "Session timeout"; //Failed to get STAL for session " + sessionId; - log.error(msg + " " + sessionId); - GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); - faultInfo.setErrorCode(1); - faultInfo.setErrorMessage(msg); - throw new GetHashDataInputFault(msg, faultInfo); + + } finally { + MDC.remove("id"); } } private STALRequestBroker getStal(Id sessionId) { - if (log.isTraceEnabled()) { - log.trace("resolve STAL for session " + sessionId); - } + log.trace("Resolve STAL for session [{}].", sessionId); MessageContext mCtx = wsContext.getMessageContext(); ServletContext sCtx = (ServletContext) mCtx.get(MessageContext.SERVLET_CONTEXT); BindingProcessorManager bpMgr = (BindingProcessorManager) sCtx.getAttribute(BINDING_PROCESSOR_MANAGER); - BindingProcessor bp = bpMgr.getBindingProcessor(sessionId); - return (bp == null) ? null : (bp.isFinished() ? null : (STALRequestBroker) bp.getSTAL()); + BindingProcessor bindingProcessor = bpMgr.getBindingProcessor(sessionId); + if (bindingProcessor != null) { + if (bindingProcessor.getSTAL() instanceof STALRequestBroker) { + return (STALRequestBroker) bindingProcessor.getSTAL(); + } + } + return null; } private GetNextRequestResponseType getTestSessionNextRequestResponse(List<JAXBElement<? extends ResponseType>> responsesIn) { @@ -359,6 +374,7 @@ public class STALServiceImpl implements STALPortType { return response; } + @SuppressWarnings("unused") private void addTestCardChannelRequest(List<JAXBElement<? extends RequestType>> requestList) { log.info("[TestSession] add CARDCHANNEL request"); ScriptType scriptT = ccObjFactory.createScriptType(); @@ -368,6 +384,7 @@ public class STALServiceImpl implements STALPortType { requestList.add(ccObjFactory.createScript(scriptT)); } + @SuppressWarnings("unused") private void addTestInfoboxReadRequest(String infoboxIdentifier, List<JAXBElement<? extends RequestType>> requestList) { log.info("[TestSession] add READ "+ infoboxIdentifier + " request"); InfoboxReadRequestType ibrT = stalObjFactory.createInfoboxReadRequestType(); diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java index 9caf950f..300f01d0 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java @@ -23,8 +23,8 @@ import com.sun.xml.ws.developer.JAXBContextFactory; import java.util.ArrayList; import java.util.List; import javax.xml.bind.JAXBException; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * @@ -32,8 +32,9 @@ import org.apache.commons.logging.LogFactory; */ public class STALXJAXBContextFactory implements JAXBContextFactory { - private static final Log log = LogFactory.getLog(STALXJAXBContextFactory.class); + private final Logger log = LoggerFactory.getLogger(STALXJAXBContextFactory.class); + @SuppressWarnings("unchecked") @Override public JAXBRIContext createJAXBContext(SEIModel sei, List<Class> classesToBind, List<TypeReference> typeReferences) throws JAXBException { if (log.isTraceEnabled()) { diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java index 2f58bb3d..45efc890 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java @@ -6,13 +6,11 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public final class TestSignatureData { - protected final static Log log = LogFactory.getLog(TestSignatureData.class); - public static final String[] ID = new String[] {"signed-data-reference-0-1214921968-27971781-24309", "signed-data-reference-1"}; public static final String ENCODING = "UTF-8"; @@ -22,6 +20,7 @@ public final class TestSignatureData { HASHDATA_INPUT.put(ID[0], "Ich bin ein einfacher Text. lläöü߀".getBytes(ENCODING)); HASHDATA_INPUT.put(ID[1], "2te referenz".getBytes(ENCODING)); } catch (UnsupportedEncodingException ex) { + Logger log = LoggerFactory.getLogger(TestSignatureData.class); log.error("failed to init signature test data", ex); } } diff --git a/BKUOnline/src/main/policy/50mocca.policy b/BKUOnline/src/main/policy/50mocca.policy index 2d6bc13d..8cda9eb6 100644 --- a/BKUOnline/src/main/policy/50mocca.policy +++ b/BKUOnline/src/main/policy/50mocca.policy @@ -18,8 +18,7 @@ // || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION // ========================================================================= // -// (set -Djava.security.debug=access,failure and search for "FAILED") -// +// (set -Djava.security.debug=access,failure and search for "denied" (failed)) // // ========== MOCCA CODE PERMISSIONS ======================================= // @@ -27,9 +26,11 @@ // with ${catalina.base}/webapps/<mocca_context> // replace ${catalina.base}/work/Catalina/localhost/bkuonline // with ${catalina.base}/work/Catalina/localhost/<mocca_context> (the path to the compiled JSPs, excl. package dir: org/apache/jsp/) -// replace version info in utils-1.2.10.jar and bkucommon-1.2.10.jar +// replace version info in +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar and +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar // with current version -// replace apps.egiz.gv.at +// replace www.sozialversicherung.gv.at:443 // with <DataURL_host:DataURL_port> // replace localhost:8080 // with <StylesheetURL_host:StylesheetURL_port> @@ -40,7 +41,7 @@ // // replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at // with <idLink_template_download_URL> -// replace ldap.a-trust.at:389 and ocsp.ecard.sozialversicherung.at:80 +// replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80 // with <certificate_revocation_authority_endpoint> (OCSP, CRLs) // @@ -49,6 +50,8 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/logging.properties", "read"; + // (for manager webapp) + // permission java.lang.RuntimePermission "setContextClassLoader"; }; grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" { @@ -58,47 +61,25 @@ grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" { // =========== MOCCA grants // -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/classes/-" { - permission java.security.AllPermission; -// permission java.io.FilePermission "${catalina.base}/logs", "read, write"; -// permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; -// permission java.io.FilePermission "${catalina.base}/logs/*", "delete"; -// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; -// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/-" { - // the log4j configuration might want to write logs to ${catalina.base}/logs/bkuonline.log +grant codeBase "file:${catalina.base}/webapps/bkuonline/-" { permission java.io.FilePermission "${catalina.base}/logs", "read, write"; permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; permission java.io.FilePermission "${catalina.base}/logs/*", "delete"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.10.jar" { - permission java.util.PropertyPermission "*", "read"; - permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; - permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; -// permission java.net.SocketPermission "localhost:8080", "connect, resolve"; - permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.10.jar" { - permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; - permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; - permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.io.FilePermission "../conf/secret.xml", "read"; + // DataURLs permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve"; + + // other resources (crls, persb.xsl, ...) permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; + permission java.net.SocketPermission "ocsp.a-trust.at:80", "connect, resolve"; permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; // permission java.net.SocketPermission "localhost:8080", "connect, resolve"; - permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; - permission java.net.NetPermission "specifyStreamHandler"; - permission java.util.PropertyPermission "*", "read, write"; +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; + permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; @@ -111,143 +92,127 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1. // XMLDSig is moved backwards by XSECT permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "removeProvider.XMLDSig"; + + permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "getProtectionDomain"; + //bkucommon,pki permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + //jax-ws jaxb + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + //permission java.lang.RuntimePermission "modifyThread"; + //permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.net.NetPermission "specifyStreamHandler"; +}; + +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/classes/-" { +// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; +// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; + + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar" { +// permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar" { + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.io.FilePermission "${catalina.base}/temp/*", "read, write"; +// permission java.io.FilePermission "../conf/secret.xml", "read"; permission java.util.PropertyPermission "*", "read, write"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; - permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_ecc_signed-2.15.jar" { - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { + permission java.util.PropertyPermission "*", "read, write"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_xsect-1.14.jar" { permission java.util.PropertyPermission "*", "read, write"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; - permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; - permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; - permission java.net.NetPermission "specifyStreamHandler"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + //permission java.net.NetPermission "specifyStreamHandler"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar" { permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read"; - permission java.util.PropertyPermission "*", "read"; - permission java.lang.RuntimePermission "getClassLoader"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/serializer-2.7.1.jar" { - permission java.util.PropertyPermission "*", "read"; - permission java.lang.RuntimePermission "getClassLoader"; + //permission java.lang.RuntimePermission "getClassLoader"; }; // allow xsl:include from the specified URL -grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" { - permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; -}; +//grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" { +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; +//}; // allow XSLT document function to reference the specified URL -grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" { - permission java.io.FilePermission "../conf/secret.xml", "read"; -}; +//grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" { +// permission java.io.FilePermission "../conf/secret.xml", "read"; +//}; // use tomcat/jre endorsed xerces instead grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xercesImpl-2.9.1.jar" { permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read"; // permission java.io.FilePermission "../conf/secret.xml", "read"; // permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; - permission java.util.PropertyPermission "*", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-logging-1.1.1.jar" { - permission java.util.PropertyPermission "org.apache.commons.logging.*", "read"; - permission java.util.PropertyPermission "log4j.*", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; - permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/log4j-1.2.12.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/log4j.properties", "read"; - // allow log4j to read its own properties - permission java.util.PropertyPermission "log4j.*", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-core-2.5.5.jar" { - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "modifyThread"; }; + grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-web-2.5.5.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.STAL"; - permission java.security.SecurityPermission "putProviderProperty.STAL"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; permission java.util.PropertyPermission "*", "read, write"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "setFactory"; - permission java.lang.RuntimePermission "getProtectionDomain"; + //permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; + grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-beans-2.5.5.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.STAL"; - permission java.security.SecurityPermission "putProviderProperty.STAL"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; permission java.util.PropertyPermission "*", "read, write"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; @@ -257,19 +222,8 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-conte permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.STAL"; - permission java.security.SecurityPermission "putProviderProperty.STAL"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; permission java.util.PropertyPermission "*", "read, write"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "getProtectionDomain"; @@ -280,20 +234,21 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-conte grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxws-rt-2.1.5.jar" { // need write access to set disableCaptureStackTrace and HttpAdapter.dump permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write"; - permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; - permission java.util.PropertyPermission "javax.xml.soap.*", "read"; - permission java.util.PropertyPermission "javax.activation.*", "read"; - permission java.util.PropertyPermission "xml.catalog.*", "read"; - permission java.util.PropertyPermission "user.dir", "read"; - permission java.util.PropertyPermission "user.home", "read"; + //permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; + //permission java.util.PropertyPermission "javax.xml.soap.*", "read"; + //permission java.util.PropertyPermission "javax.activation.*", "read"; + //permission java.util.PropertyPermission "xml.catalog.*", "read"; + //permission java.util.PropertyPermission "user.dir", "read"; + //permission java.util.PropertyPermission "user.home", "read"; permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read"; permission java.io.FilePermission "${java.home}/lib/mailcap", "read"; permission java.io.FilePermission "${user.home}/.mailcap", "read"; permission java.io.FilePermission "basename", "read"; permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.io.FilePermission "${catalina.home}/temp/xcatalog", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; permission java.lang.RuntimePermission "setContextClassLoader"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean"; @@ -302,18 +257,16 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxws-rt-2.1 }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxb-impl-2.1.9.jar" { + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; - permission java.util.PropertyPermission "user.dir", "read"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-httpclient-3.1.jar" { - permission java.util.PropertyPermission "*", "read"; +// permission java.lang.RuntimePermission "accessDeclaredMembers"; +// permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; +// permission java.util.PropertyPermission "user.dir", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; }; // ======== NETBEANS -//grant codeBase "file:${catalina.base}/nblib/-" { -// permission java.security.AllPermission; -//};
\ No newline at end of file +grant codeBase "file:${catalina.base}/nblib/-" { + permission java.security.AllPermission; +};
\ No newline at end of file diff --git a/BKUOnline/src/main/policy/catalina.policy b/BKUOnline/src/main/policy/catalina.policy new file mode 100644 index 00000000..2dfb198f --- /dev/null +++ b/BKUOnline/src/main/policy/catalina.policy @@ -0,0 +1,411 @@ +// Copyright 2008 Federal Chancellery Austria and +// Graz University of Technology +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +// ========================================================================= +// || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION +// ========================================================================= +// +// ========================================================================= +// || This file contains all default permissions from $CATALINA_HOME/conf/catalina.policy +// || and codebase paths to development dirs (for in-place deployment of IDEs) +// ========================================================================= +// +// (set -Djava.security.debug=access,failure and search for "denied" (failed)) +// (-Djava.net.preferIPv4Stack=true) +// +// ========== MOCCA CODE PERMISSIONS ======================================= +// +// replace ${catalina.base}/webapps/bkuonline +// with ${catalina.base}/webapps/<mocca_context> +// replace ${catalina.base}/work/Catalina/localhost/bkuonline +// with ${catalina.base}/work/Catalina/localhost/<mocca_context> (the path to the compiled JSPs, excl. package dir: org/apache/jsp/) +// replace version info in +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/BKUViewer-1.2.12.jar" { +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar and +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar +// with current version +// replace www.sozialversicherung.gv.at:443 +// with <DataURL_host:DataURL_port> +// replace localhost:8080 +// with <StylesheetURL_host:StylesheetURL_port> +// replace www.xslt-stylesheet-include-url.org:80 +// with <XSL_include_URL> +// replace ../conf/secret.xml +// with <any_resource_you_would_like_to_grant_XSLTs_document()_function_access_to> +// +// replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at +// with <idLink_template_download_URL> +// replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80 +// with <certificate_revocation_authority_endpoint> (OCSP, CRLs) +// + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the logging API +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.util.PropertyPermission "java.util.logging.config.class", "read"; + permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; + permission java.lang.RuntimePermission "shutdownHooks"; + permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; + permission java.util.logging.LoggingPermission "control"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + permission java.lang.RuntimePermission "getClassLoader"; + + // added by clemenso (for manager webapp) + permission java.lang.RuntimePermission "setContextClassLoader"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + + // To enable per context logging configuration, permit read access to the appropriate file. + // Be sure that the logging configuration is secure before enabling such access + // eg for the examples web application: + // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { + permission java.security.AllPermission; +}; + + +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // Precompiled JSPs need access to this package. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + + // Precompiled JSPs need access to this system property. + permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + +}; + + + + + + + + +// =========== container grants required by MOCCA +// +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/logging.properties", "read"; + // (for manager webapp) + permission java.lang.RuntimePermission "setContextClassLoader"; +}; + +grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" { + permission java.io.FilePermission "/helpfiles/-", "read"; + permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime"; +}; + +// =========== MOCCA grants +// +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/-" { + permission java.io.FilePermission "${catalina.base}/logs", "read, write"; + permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; + permission java.io.FilePermission "${catalina.base}/logs/*", "delete"; + + // DataURLs + permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve"; + + // other resources (crls, persb.xsl, ...) + permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; + permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; + permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; + permission java.net.SocketPermission "ocsp.a-trust.at:80", "connect, resolve"; + permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; +// permission java.net.SocketPermission "localhost:8080", "connect, resolve"; +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; + + permission java.security.SecurityPermission "insertProvider.IAIK"; + permission java.security.SecurityPermission "putProviderProperty.IAIK"; + permission java.security.SecurityPermission "removeProvider.IAIK"; + permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; + permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; + permission java.security.SecurityPermission "insertProvider.XSECT"; + permission java.security.SecurityPermission "putProviderProperty.XSECT"; + permission java.security.SecurityPermission "insertProvider.STAL"; + permission java.security.SecurityPermission "putProviderProperty.STAL"; + // XMLDSig is moved backwards by XSECT + permission java.security.SecurityPermission "insertProvider.XMLDSig"; + permission java.security.SecurityPermission "removeProvider.XMLDSig"; + + permission java.util.PropertyPermission "*", "read"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "getClassLoader"; + permission java.lang.RuntimePermission "getProtectionDomain"; + //bkucommon,pki + permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + //jax-ws jaxb + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + //permission java.lang.RuntimePermission "modifyThread"; + //permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.net.NetPermission "specifyStreamHandler"; + + //jaxb + //permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/-" { +// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; +// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; + + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/utils-1.2.12-pinguin-1-SNAPSHOT.jar" { +// permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/bkucommon-1.2.12-pinguin-1-SNAPSHOT.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.io.FilePermission "${catalina.base}/temp/*", "read, write"; +// permission java.io.FilePermission "../conf/secret.xml", "read"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { + permission java.util.PropertyPermission "*", "read, write"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_xsect-1.14.jar" { + permission java.util.PropertyPermission "*", "read, write"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + //permission java.net.NetPermission "specifyStreamHandler"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar" { + permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read"; + //permission java.lang.RuntimePermission "getClassLoader"; +}; + +// allow xsl:include from the specified URL +//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" { +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; +//}; + +// allow XSLT document function to reference the specified URL +//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" { +// permission java.io.FilePermission "../conf/secret.xml", "read"; +//}; + +// use tomcat/jre endorsed xerces instead +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xercesImpl-2.9.1.jar" { + permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read"; +// permission java.io.FilePermission "../conf/secret.xml", "read"; +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/commons-logging-1.1.1.jar" { + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/log4j-1.2.12.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/log4j.properties", "read"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-core-2.5.5.jar" { + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "modifyThread"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-web-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.util.PropertyPermission "*", "read, write"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + //permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-beans-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.util.PropertyPermission "*", "read, write"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-context-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.util.PropertyPermission "*", "read, write"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxws-rt-2.1.5.jar" { + // need write access to set disableCaptureStackTrace and HttpAdapter.dump + permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write"; + //permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; + //permission java.util.PropertyPermission "javax.xml.soap.*", "read"; + //permission java.util.PropertyPermission "javax.activation.*", "read"; + //permission java.util.PropertyPermission "xml.catalog.*", "read"; + //permission java.util.PropertyPermission "user.dir", "read"; + //permission java.util.PropertyPermission "user.home", "read"; + permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read"; + permission java.io.FilePermission "${java.home}/lib/mailcap", "read"; + permission java.io.FilePermission "${user.home}/.mailcap", "read"; + permission java.io.FilePermission "basename", "read"; + permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read"; + permission java.io.FilePermission "${catalina.home}/temp/xcatalog", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.lang.RuntimePermission "setContextClassLoader"; + permission javax.management.MBeanServerPermission "createMBeanServer"; + permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean"; + permission javax.management.MBeanTrustPermission "register"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxb-impl-2.1.9.jar" { + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +// permission java.lang.RuntimePermission "accessDeclaredMembers"; +// permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; +// permission java.util.PropertyPermission "user.dir", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; +}; + +// ======== NETBEANS + +grant codeBase "file:${catalina.base}/nblib/-" { + permission java.security.AllPermission; +};
\ No newline at end of file diff --git a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml deleted file mode 100644 index f8d1411c..00000000 --- a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml +++ /dev/null @@ -1,84 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Copyright 2008 Federal Chancellery Austria and Graz University of
- Technology Licensed under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance with the
- License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0 Unless required by
- applicable law or agreed to in writing, software distributed under the
- License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- CONDITIONS OF ANY KIND, either express or implied. See the License for
- the specific language governing permissions and limitations under the
- License.
- -->
-<AccessControl>
- <Chains>
- <!--
- The input chain defines filters that are applied before command
- execution
- -->
- <Chain Id="InputChain">
- <Rules>
- <!-- there is no command implemented that requires input filtering -->
- <Rule Id="InputChain-AllowAll">
- <Action>
- <RuleAction>allow</RuleAction>
- </Action>
- <UserInteraction>confirm</UserInteraction>
- </Rule>
- </Rules>
- </Chain>
-
- <!--
- The output chain defines filters that are applied after command
- execution
- -->
- <Chain Id="OutputChain">
- <Rules>
- <Rule Id="OutputChain-Egov">
- <AuthClass>certifiedGovAgency</AuthClass>
- <Action>
- <RuleAction>allow</RuleAction>
- </Action>
- <UserInteraction>confirm</UserInteraction>
- </Rule>
- <Rule Id="OutputChain-Command">
- <AuthClass>anonymous</AuthClass>
- <Action>
- <ChainRef>Command</ChainRef>
- </Action>
- </Rule>
- </Rules>
- </Chain>
- <Chain Id="Command">
- <Rules>
- <Rule Id="cmd-rule-1">
- <AuthClass>certified</AuthClass>
- <Command Name="Infobox.*">
- <Param Name="InfoboxIdentifier">IdentityLink</Param>
- <Param Name="PersonIdentifier">derived</Param>
- </Command>
- <Action>
- <RuleAction>allow</RuleAction>
- </Action>
- <UserInteraction>confirm</UserInteraction>
- </Rule>
- <Rule Id="cmd-rule-2">
- <AuthClass>anonymous</AuthClass>
- <Command Name="Infobox.*">
- <Param Name="InfoboxIdentifier">IdentityLink</Param>
- </Command>
- <Action>
- <RuleAction>deny</RuleAction>
- </Action>
- <UserInteraction>info</UserInteraction>
- </Rule>
- <Rule Id="cmd-rule-3">
- <Action>
- <RuleAction>allow</RuleAction>
- </Action>
- </Rule>
- </Rules>
- </Chain>
- </Chains>
-</AccessControl>
diff --git a/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/PersonData.xsd b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/PersonData.xsd new file mode 100644 index 00000000..3d59a2b1 --- /dev/null +++ b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/PersonData.xsd @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- NOTE: This is not the official person data schema! --> +<!-- This is a special version of the person data schema to validate identity links. --> +<xs:schema targetNamespace="http://reference.e-government.gv.at/namespace/persondata/20020228#" + xmlns="http://reference.e-government.gv.at/namespace/persondata/20020228#" + xmlns:xs="http://www.w3.org/2001/XMLSchema" + elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0.0"> + <xs:element name="Person" type="AbstractPersonType"/> + <xs:complexType name="AbstractPersonType" abstract="true"> + <xs:sequence> + <xs:element name="Identification" type="IdentificationType" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + <xs:element name="PhysicalPerson" type="PhysicalPersonType"/> + <xs:complexType name="PhysicalPersonType"> + <xs:complexContent> + <xs:extension base="AbstractPersonType"> + <xs:sequence> + <xs:element name="Name" type="PersonNameType"/> + <xs:element name="DateOfBirth" type="DateOfBirthType"/> + </xs:sequence> + </xs:extension> + </xs:complexContent> + </xs:complexType> + <xs:complexType name="IdentificationType"> + <xs:sequence> + <xs:element name="Value" type="xs:string"/> + <xs:element name="Type" type="xs:anyURI"/> + </xs:sequence> + </xs:complexType> + <xs:simpleType name="DateOfBirthType"> + <xs:union memberTypes="xs:date xs:gYearMonth xs:gYear"/> + </xs:simpleType> + <xs:complexType name="PersonNameType"> + <xs:sequence> + <xs:element name="GivenName" type="xs:string"/> + <xs:element name="FamilyName"> + <xs:complexType> + <xs:simpleContent> + <xs:extension base="xs:string"> + <xs:attribute name="primary" default="undefined"> + <xs:simpleType> + <xs:restriction base="xs:string"> + <xs:enumeration value="true"/> + <xs:enumeration value="false"/> + <xs:enumeration value="undefined"/> + </xs:restriction> + </xs:simpleType> + </xs:attribute> + <xs:attribute name="prefix" type="xs:string"/> + </xs:extension> + </xs:simpleContent> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> +</xs:schema>
\ No newline at end of file diff --git a/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd new file mode 100644 index 00000000..5518db2f --- /dev/null +++ b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd @@ -0,0 +1,105 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) -->
+<schema targetNamespace="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified">
+ <import namespace="http://reference.e-government.gv.at/namespace/persondata/20020228#" schemaLocation="PersonData.xsd"/>
+ <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/2001/04/xmldsig-more#" schemaLocation="xmldsig-more.xsd"/>
+ <element name="Assertion" type="saml:AssertionType"/>
+ <complexType name="AssertionType">
+ <sequence>
+ <element ref="saml:AttributeStatement"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ <attribute name="MajorVersion" type="integer" use="required" fixed="1"/>
+ <attribute name="MinorVersion" type="integer" use="required" fixed="0"/>
+ <attribute name="AssertionID" type="saml:IDType" use="required"/>
+ <attribute name="Issuer" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ </complexType>
+ <simpleType name="IDType">
+ <restriction base="string"/>
+ </simpleType>
+ <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+ <complexType name="AttributeStatementType">
+ <complexContent>
+ <extension base="saml:SubjectStatementAbstractType1">
+ <sequence>
+ <element ref="saml:Attribute" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <complexType name="SubjectStatementAbstractType1" abstract="true">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:Subject"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <complexType name="StatementAbstractType" abstract="true"/>
+ <element name="Subject" type="saml:SubjectType"/>
+ <complexType name="SubjectType">
+ <choice>
+ <sequence>
+ <element ref="saml:NameIdentifier"/>
+ <element ref="saml:SubjectConfirmation"/>
+ </sequence>
+ <element ref="saml:SubjectConfirmation"/>
+ </choice>
+ </complexType>
+ <element name="NameIdentifier" type="saml:NameIdentifierType"/>
+ <complexType name="NameIdentifierType">
+ <simpleContent>
+ <extension base="string">
+ <attribute name="NameQualifier" type="string" use="optional"/>
+ <attribute name="Format" type="anyURI" use="optional"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+ <complexType name="SubjectConfirmationType">
+ <sequence>
+ <element ref="saml:ConfirmationMethod"/>
+ <element ref="saml:SubjectConfirmationData"/>
+ </sequence>
+ </complexType>
+ <element name="SubjectConfirmationData">
+ <complexType>
+ <sequence>
+ <element ref="pr:Person"/>
+ </sequence>
+ </complexType>
+ </element>
+ <element name="ConfirmationMethod">
+ <simpleType>
+ <restriction base="anyURI">
+ <enumeration value="urn:oasis:names:tc:SAML:1.0:cm:sender-vouches"/>
+ </restriction>
+ </simpleType>
+ </element>
+ <element name="Attribute" type="saml:AttributeType"/>
+ <complexType name="AttributeType">
+ <complexContent>
+ <extension base="saml:AttributeDesignatorType">
+ <sequence>
+ <element ref="saml:AttributeValue" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <complexType name="AttributeDesignatorType">
+ <attribute name="AttributeName" type="string" use="required" fixed="CitizenPublicKey"/>
+ <attribute name="AttributeNamespace" type="anyURI" use="required" fixed="urn:publicid:gv.at:namespaces:identitylink:1.2"/>
+ </complexType>
+ <element name="AttributeValue">
+ <complexType>
+ <choice>
+ <element ref="ds:DSAKeyValue"/>
+ <element ref="ds:RSAKeyValue"/>
+ <element ref="ecdsa:ECDSAKeyValue"/>
+ </choice>
+ </complexType>
+ </element>
+</schema>
diff --git a/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd new file mode 100644 index 00000000..8422fdfa --- /dev/null +++ b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd @@ -0,0 +1,308 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- Schema for XML Signatures + http://www.w3.org/2000/09/xmldsig# + $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $ + + Copyright 2001 The Internet Society and W3C (Massachusetts Institute + of Technology, Institut National de Recherche en Informatique et en + Automatique, Keio University). All Rights Reserved. + http://www.w3.org/Consortium/Legal/ + + This document is governed by the W3C Software License [1] as described + in the FAQ [2]. + + [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720 + [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD +--> + + +<schema xmlns="http://www.w3.org/2001/XMLSchema" + xmlns:ds="http://www.w3.org/2000/09/xmldsig#" + targetNamespace="http://www.w3.org/2000/09/xmldsig#" + version="0.1" elementFormDefault="qualified"> + +<!-- Basic Types Defined for Signatures --> + +<simpleType name="CryptoBinary"> + <restriction base="base64Binary"> + </restriction> +</simpleType> + +<!-- Start Signature --> + +<element name="Signature" type="ds:SignatureType"/> +<complexType name="SignatureType"> + <sequence> + <element ref="ds:SignedInfo"/> + <element ref="ds:SignatureValue"/> + <element ref="ds:KeyInfo" minOccurs="0"/> + <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> +</complexType> + + <element name="SignatureValue" type="ds:SignatureValueType"/> + <complexType name="SignatureValueType"> + <simpleContent> + <extension base="base64Binary"> + <attribute name="Id" type="ID" use="optional"/> + </extension> + </simpleContent> + </complexType> + +<!-- Start SignedInfo --> + +<element name="SignedInfo" type="ds:SignedInfoType"/> +<complexType name="SignedInfoType"> + <sequence> + <element ref="ds:CanonicalizationMethod"/> + <element ref="ds:SignatureMethod"/> + <element ref="ds:Reference" maxOccurs="unbounded"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> +</complexType> + + <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/> + <complexType name="CanonicalizationMethodType" mixed="true"> + <sequence> + <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/> + <!-- (0,unbounded) elements from (1,1) namespace --> + </sequence> + <attribute name="Algorithm" type="anyURI" use="required"/> + </complexType> + + <element name="SignatureMethod" type="ds:SignatureMethodType"/> + <complexType name="SignatureMethodType" mixed="true"> + <sequence> + <element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/> + <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> + <!-- (0,unbounded) elements from (1,1) external namespace --> + </sequence> + <attribute name="Algorithm" type="anyURI" use="required"/> + </complexType> + +<!-- Start Reference --> + +<element name="Reference" type="ds:ReferenceType"/> +<complexType name="ReferenceType"> + <sequence> + <element ref="ds:Transforms" minOccurs="0"/> + <element ref="ds:DigestMethod"/> + <element ref="ds:DigestValue"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> + <attribute name="URI" type="anyURI" use="optional"/> + <attribute name="Type" type="anyURI" use="optional"/> +</complexType> + + <element name="Transforms" type="ds:TransformsType"/> + <complexType name="TransformsType"> + <sequence> + <element ref="ds:Transform" maxOccurs="unbounded"/> + </sequence> + </complexType> + + <element name="Transform" type="ds:TransformType"/> + <complexType name="TransformType" mixed="true"> + <choice minOccurs="0" maxOccurs="unbounded"> + <any namespace="##other" processContents="lax"/> + <!-- (1,1) elements from (0,unbounded) namespaces --> + <element name="XPath" type="string"/> + </choice> + <attribute name="Algorithm" type="anyURI" use="required"/> + </complexType> + +<!-- End Reference --> + +<element name="DigestMethod" type="ds:DigestMethodType"/> +<complexType name="DigestMethodType" mixed="true"> + <sequence> + <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> + </sequence> + <attribute name="Algorithm" type="anyURI" use="required"/> +</complexType> + +<element name="DigestValue" type="ds:DigestValueType"/> +<simpleType name="DigestValueType"> + <restriction base="base64Binary"/> +</simpleType> + +<!-- End SignedInfo --> + +<!-- Start KeyInfo --> + +<element name="KeyInfo" type="ds:KeyInfoType"/> +<complexType name="KeyInfoType" mixed="true"> + <choice maxOccurs="unbounded"> + <element ref="ds:KeyName"/> + <element ref="ds:KeyValue"/> + <element ref="ds:RetrievalMethod"/> + <element ref="ds:X509Data"/> + <element ref="ds:PGPData"/> + <element ref="ds:SPKIData"/> + <element ref="ds:MgmtData"/> + <any processContents="lax" namespace="##other"/> + <!-- (1,1) elements from (0,unbounded) namespaces --> + </choice> + <attribute name="Id" type="ID" use="optional"/> +</complexType> + + <element name="KeyName" type="string"/> + <element name="MgmtData" type="string"/> + + <element name="KeyValue" type="ds:KeyValueType"/> + <complexType name="KeyValueType" mixed="true"> + <choice> + <element ref="ds:DSAKeyValue"/> + <element ref="ds:RSAKeyValue"/> + <any namespace="##other" processContents="lax"/> + </choice> + </complexType> + + <element name="RetrievalMethod" type="ds:RetrievalMethodType"/> + <complexType name="RetrievalMethodType"> + <sequence> + <element ref="ds:Transforms" minOccurs="0"/> + </sequence> + <attribute name="URI" type="anyURI"/> + <attribute name="Type" type="anyURI" use="optional"/> + </complexType> + +<!-- Start X509Data --> + +<element name="X509Data" type="ds:X509DataType"/> +<complexType name="X509DataType"> + <sequence maxOccurs="unbounded"> + <choice> + <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/> + <element name="X509SKI" type="base64Binary"/> + <element name="X509SubjectName" type="string"/> + <element name="X509Certificate" type="base64Binary"/> + <element name="X509CRL" type="base64Binary"/> + <any namespace="##other" processContents="lax"/> + </choice> + </sequence> +</complexType> + +<complexType name="X509IssuerSerialType"> + <sequence> + <element name="X509IssuerName" type="string"/> + <element name="X509SerialNumber" type="integer"/> + </sequence> +</complexType> + +<!-- End X509Data --> + +<!-- Begin PGPData --> + +<element name="PGPData" type="ds:PGPDataType"/> +<complexType name="PGPDataType"> + <choice> + <sequence> + <element name="PGPKeyID" type="base64Binary"/> + <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/> + <any namespace="##other" processContents="lax" minOccurs="0" + maxOccurs="unbounded"/> + </sequence> + <sequence> + <element name="PGPKeyPacket" type="base64Binary"/> + <any namespace="##other" processContents="lax" minOccurs="0" + maxOccurs="unbounded"/> + </sequence> + </choice> +</complexType> + +<!-- End PGPData --> + +<!-- Begin SPKIData --> + +<element name="SPKIData" type="ds:SPKIDataType"/> +<complexType name="SPKIDataType"> + <sequence maxOccurs="unbounded"> + <element name="SPKISexp" type="base64Binary"/> + <any namespace="##other" processContents="lax" minOccurs="0"/> + </sequence> +</complexType> + +<!-- End SPKIData --> + +<!-- End KeyInfo --> + +<!-- Start Object (Manifest, SignatureProperty) --> + +<element name="Object" type="ds:ObjectType"/> +<complexType name="ObjectType" mixed="true"> + <sequence minOccurs="0" maxOccurs="unbounded"> + <any namespace="##any" processContents="lax"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> + <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet --> + <attribute name="Encoding" type="anyURI" use="optional"/> +</complexType> + +<element name="Manifest" type="ds:ManifestType"/> +<complexType name="ManifestType"> + <sequence> + <element ref="ds:Reference" maxOccurs="unbounded"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> +</complexType> + +<element name="SignatureProperties" type="ds:SignaturePropertiesType"/> +<complexType name="SignaturePropertiesType"> + <sequence> + <element ref="ds:SignatureProperty" maxOccurs="unbounded"/> + </sequence> + <attribute name="Id" type="ID" use="optional"/> +</complexType> + + <element name="SignatureProperty" type="ds:SignaturePropertyType"/> + <complexType name="SignaturePropertyType" mixed="true"> + <choice maxOccurs="unbounded"> + <any namespace="##other" processContents="lax"/> + <!-- (1,1) elements from (1,unbounded) namespaces --> + </choice> + <attribute name="Target" type="anyURI" use="required"/> + <attribute name="Id" type="ID" use="optional"/> + </complexType> + +<!-- End Object (Manifest, SignatureProperty) --> + +<!-- Start Algorithm Parameters --> + +<simpleType name="HMACOutputLengthType"> + <restriction base="integer"/> +</simpleType> + +<!-- Start KeyValue Element-types --> + +<element name="DSAKeyValue" type="ds:DSAKeyValueType"/> +<complexType name="DSAKeyValueType"> + <sequence> + <sequence minOccurs="0"> + <element name="P" type="ds:CryptoBinary"/> + <element name="Q" type="ds:CryptoBinary"/> + </sequence> + <element name="G" type="ds:CryptoBinary" minOccurs="0"/> + <element name="Y" type="ds:CryptoBinary"/> + <element name="J" type="ds:CryptoBinary" minOccurs="0"/> + <sequence minOccurs="0"> + <element name="Seed" type="ds:CryptoBinary"/> + <element name="PgenCounter" type="ds:CryptoBinary"/> + </sequence> + </sequence> +</complexType> + +<element name="RSAKeyValue" type="ds:RSAKeyValueType"/> +<complexType name="RSAKeyValueType"> + <sequence> + <element name="Modulus" type="ds:CryptoBinary"/> + <element name="Exponent" type="ds:CryptoBinary"/> + </sequence> +</complexType> + +<!-- End KeyValue Element-types --> + +<!-- End Signature --> + +</schema> diff --git a/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd new file mode 100644 index 00000000..52856ae6 --- /dev/null +++ b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd @@ -0,0 +1,147 @@ +<?xml version="1.0" encoding="UTF-8"?> + + <xs:schema + targetNamespace="http://www.w3.org/2001/04/xmldsig-more#" + xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" + xmlns:xs="http://www.w3.org/2001/XMLSchema" + elementFormDefault="qualified" attributeFormDefault="unqualified" + version="0.2"> + + <!--ECDSA key value root element--> + + <xs:element name="ECDSAKeyValue" type="ecdsa:ECDSAKeyValueType"/> + <xs:complexType name="ECDSAKeyValueType"> + <xs:sequence> + <xs:element name="DomainParameters" + type="ecdsa:DomainParamsType" minOccurs="0"/> + <xs:element name="PublicKey" type="ecdsa:ECPointType"/> + </xs:sequence> + </xs:complexType> + + <!--EC domain parameters--> + + <xs:complexType name="DomainParamsType"> + <xs:choice> + <xs:element name="ExplicitParams" + type="ecdsa:ExplicitParamsType"/> + <xs:element name="NamedCurve"> + <xs:complexType> + <xs:attribute name="URN" type="xs:anyURI" use="required"/> + </xs:complexType> + </xs:element> + </xs:choice> + </xs:complexType> + <xs:complexType name="FieldParamsType" abstract="true"/> + + <xs:complexType name="PrimeFieldParamsType"> + <xs:complexContent> + <xs:extension base="ecdsa:FieldParamsType"> + <xs:sequence> + <xs:element name="P" type="xs:positiveInteger"/> + </xs:sequence> + </xs:extension> + </xs:complexContent> + </xs:complexType> + + <xs:complexType name="CharTwoFieldParamsType" abstract="true"> + <xs:complexContent> + <xs:extension base="ecdsa:FieldParamsType"> + <xs:sequence> + <xs:element name="M" type="xs:positiveInteger"/> + </xs:sequence> + </xs:extension> + </xs:complexContent> + </xs:complexType> + <xs:complexType name="OddCharExtensionFieldParamsType"> + <xs:complexContent> + <xs:extension base="ecdsa:FieldParamsType"> + <xs:sequence> + <xs:element name="M" type="xs:positiveInteger"/> + <xs:element name="W" type="xs:positiveInteger"/> + </xs:sequence> + </xs:extension> + </xs:complexContent> + </xs:complexType> + <xs:complexType name="TnBFieldParamsType"> + <xs:complexContent> + <xs:extension base="ecdsa:CharTwoFieldParamsType"> + <xs:sequence> + <xs:element name="K" type="xs:positiveInteger"/> + </xs:sequence> + </xs:extension> + </xs:complexContent> + </xs:complexType> + <xs:complexType name="PnBFieldParamsType"> + <xs:complexContent> + <xs:extension base="ecdsa:CharTwoFieldParamsType"> + <xs:sequence> + <xs:element name="K1" type="xs:positiveInteger"/> + <xs:element name="K2" type="xs:positiveInteger"/> + <xs:element name="K3" type="xs:positiveInteger"/> + </xs:sequence> + </xs:extension> + </xs:complexContent> + </xs:complexType> + + <xs:complexType name="ExplicitParamsType"> + <xs:sequence> + <xs:element name="FieldParams" type="ecdsa:FieldParamsType"/> + <xs:element name="CurveParams" type="ecdsa:CurveParamsType"/> + <xs:element name="BasePointParams" + type="ecdsa:BasePointParamsType"/> + </xs:sequence> + </xs:complexType> + <xs:complexType name="CurveParamsType"> + <xs:sequence> + <xs:element name="A" type="ecdsa:FieldElemType"/> + <xs:element name="B" type="ecdsa:FieldElemType"/> + <xs:element name="Seed" type="xs:hexBinary" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + <xs:complexType name="BasePointParamsType"> + <xs:sequence> + <xs:element name="BasePoint" type="ecdsa:ECPointType"/> + <xs:element name="Order" type="xs:positiveInteger"/> + <xs:element name="Cofactor" type="xs:positiveInteger" + minOccurs="0"/> + </xs:sequence> + </xs:complexType> + + <!--EC point--> + + <xs:complexType name="ECPointType"> + <xs:sequence minOccurs="0"> + <xs:element name="X" type="ecdsa:FieldElemType"/> + <xs:element name="Y" type="ecdsa:FieldElemType"/> + </xs:sequence> + </xs:complexType> + + <!--Field element--> + + <xs:complexType name="FieldElemType" abstract="true"/> + <xs:complexType name="PrimeFieldElemType"> + <xs:complexContent> + <xs:extension base="ecdsa:FieldElemType"> + <xs:attribute name="Value" type="xs:nonNegativeInteger" + use="required"/> + </xs:extension> + </xs:complexContent> + </xs:complexType> + + <xs:complexType name="CharTwoFieldElemType"> + <xs:complexContent> + <xs:extension base="ecdsa:FieldElemType"> + <xs:attribute name="Value" type="xs:hexBinary" + use="required"/> + </xs:extension> + </xs:complexContent> + </xs:complexType> + <xs:complexType name="OddCharExtensionFieldElemType"> + <xs:complexContent> + <xs:extension base="ecdsa:FieldElemType"> + <xs:attribute name="Value" type="xs:nonNegativeInteger" + use="required"/> + </xs:extension> + </xs:complexContent> + </xs:complexType> + </xs:schema>
\ No newline at end of file diff --git a/BKUOnline/src/main/resources/commons-logging.properties b/BKUOnline/src/main/resources/commons-logging.properties deleted file mode 100644 index 0d497b1b..00000000 --- a/BKUOnline/src/main/resources/commons-logging.properties +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2008 Federal Chancellery Austria and -# Graz University of Technology -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -org.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger diff --git a/BKUOnline/src/main/resources/log4j.properties b/BKUOnline/src/main/resources/log4j.properties index d4a03fe7..e3012f35 100644 --- a/BKUOnline/src/main/resources/log4j.properties +++ b/BKUOnline/src/main/resources/log4j.properties @@ -14,9 +14,10 @@ # limitations under the License. -#log4j.rootLogger=DEBUG, STDOUT, file -log4j.rootLogger=INFO, file +log4j.rootLogger=INFO, STDOUT, file +#log4j.rootLogger=DEBUG, file #log4j.logger.at.gv=TRACE +log4j.logger.org.springframework=INFO # STDOUT appender @@ -24,7 +25,7 @@ log4j.appender.STDOUT=org.apache.log4j.ConsoleAppender log4j.appender.STDOUT.layout=org.apache.log4j.PatternLayout #log4j.appender.STDOUT.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %20c | %10t | %m%n #log4j.appender.STDOUT.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n -log4j.appender.STDOUT.layout.ConversionPattern=%-5p | %t | %c %x - %m%n +log4j.appender.STDOUT.layout.ConversionPattern=...%-0.6X{id} %-5p | %t | %c - %m%n # FILE appender log4j.appender.file=org.apache.log4j.RollingFileAppender diff --git a/BKUOnline/src/main/webapp/IDRequestForm.html b/BKUOnline/src/main/webapp/IDRequestForm.html new file mode 100644 index 00000000..2682df4d --- /dev/null +++ b/BKUOnline/src/main/webapp/IDRequestForm.html @@ -0,0 +1,71 @@ +<!-- + Copyright 2008 Federal Chancellery Austria and + Graz University of Technology + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html> + <head> + <title>ID Request Form</title> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> + <link rel="shortcut icon" href="img/chip16.ico" type="image/x-icon"> + <style type="text/css" media="all">@import "css/main.css";</style> + <style type="text/css"> + fieldset { + padding: 1em; + margin: 1em; + font: 80%/ 1 sans-serif; + background-color: #F2EFE9; + padding-left: 5em; + } + + fieldset.submit { + float: none; + width: auto; + border: 0 none #FFF; + padding-left: 14em; + border-style: none; + background-color: transparent; + } + + label { + float: left; + width: 8em; + margin-right: 0.5em; + padding-top: 0.2em; + text-align: right; + font-weight: bold; + color: #000; + padding-top: 0.2em; + } + + legend { + border: 1px solid; + padding: 2px 6px + } + </style> + </head> +<body> +<h1>ID Request Form</h1> +<form action="./moccaid" method="post" + enctype="application/x-www-form-urlencoded" name="idform"> +<fieldset><legend>ID Request</legend> +<p><label for="BKUUrl">BKUUrl</label><input + value="http://localhost:3495/http-security-layer-request" /></p> +</fieldset> +<fieldset class="submit"><input type="submit" class="submit"/></fieldset> +</form> + +</body> +</html> diff --git a/BKUOnline/src/main/webapp/PINManagement.jsp b/BKUOnline/src/main/webapp/PINManagement.jsp index 3555f99e..d5f71862 100644 --- a/BKUOnline/src/main/webapp/PINManagement.jsp +++ b/BKUOnline/src/main/webapp/PINManagement.jsp @@ -49,11 +49,43 @@ } String backgroundImg = request.getParameter("appletBackground"); %> - <body id="appletpage" style="width:<%=width%>" onFocus="focusToApplet()"> + <body id="appletpage" style="width:<%=width%>"> + + <div id="container" style="float: left; width: <%= width %>"> + + + <form name="increaseform" action="javascript:increaseSize()" method="get"> + + <!-- increase font size image --> + <input type="image" src="img/inc.png" alt="Text vergrößern" width="13px" height="18px" style="float: left;" id="increase_image"/> + + </form> + + + <form name="decreaseform" action="javascript:decreaseSize()" method="get"> + + <!-- decrease font size image --> + <input type="image" src="img/dec.png" alt="Text verkleinern" width="13px" height="18px" style="float: left;" id="decrease_image"/> + + </form> + + <form name="helpform" action="help/index.html" method="get" target="_new" + onsubmit="this.action=document.moccaapplet.getHelpURL(); this.submit(); return false;"> + + <!-- invisible input --> + <input type="image" src="img/help.png" alt=" " width="0px" height="0px" style="float: left;" onFocus="focusToApplet()"/> + + <!-- help image --> + <input type="image" src="img/help.png" alt="Hilfe" width="13px" height="18px" style="float: right;" id="helpimage"/> + + + </form> + <script> // avoid selection of applet before it is completely loaded - var allowSelectionByJS = false; + // TODO: Is this necessary? + var allowSelectionByJS = true; if (!deployJava.versionCheck('1.6.0_04+')) { document @@ -81,6 +113,8 @@ deployJava.runApplet(attributes, parameters, version); } </script> + + </div> </body> <script> @@ -90,7 +124,6 @@ //alert('try to set focus to applet'); if (document != null && document.moccaapplet != null && allowSelectionByJS) { - //alert('set focus to applet.'); document.moccaapplet.getFocusFromBrowser(); return true; } @@ -101,10 +134,49 @@ // put focus to window // focus can be assigned to an arbitrary focusable field on the embedding website as well - self.focus(); + document.getElementById("helpimage").focus(); } - + + function increaseSize() { + + var appwidth = document.moccaapplet.width; + var appheight = document.moccaapplet.height; + + document.moccaapplet.width = (appwidth * 1.2); + document.moccaapplet.height = (appheight * 1.2); + + document.getElementById("container").style.width = (appwidth * 1.2); + + // TODO: This does not work, seems that width and height attributes cannot be read + // and set from input of type image + var image_width = document.getElementById("increase_image").width; + var image_height = document.getElementById("increase_image").height; + + + document.getElementById("helpimage").width = (image_width * 1.2); + document.getElementById("helpimage").height = (image_height * 1.2); + + document.getElementById("increase_image").width = (image_width * 1.2); + document.getElementById("increase_image").height = (image_height * 1.2); + + document.getElementById("decrease_image").width = (image_width * 1.2); + document.getElementById("decrease_image").height = (image_height * 1.2); + + + } + + function decreaseSize() { + + var appwidth = document.moccaapplet.width; + var appheight = document.moccaapplet.height; + + document.moccaapplet.width = (appwidth * 0.8333333333333); + document.moccaapplet.height = (appheight * 0.8333333333333); + + document.getElementById("container").style.width = (appwidth * 0.8333333333333); + } + </script> </html> diff --git a/BKUOnline/src/main/webapp/SLRequestForm.html b/BKUOnline/src/main/webapp/SLRequestForm.html index 2de652a7..2a372d83 100644 --- a/BKUOnline/src/main/webapp/SLRequestForm.html +++ b/BKUOnline/src/main/webapp/SLRequestForm.html @@ -73,7 +73,7 @@ <body> <h1>Security-Layer v1.2 Request Formular</h1> <p> - <form action="./http-security-layer-request" method="Post" + <form action="./http-security-layer-request" method="Get" enctype="application/x-www-form-urlencoded" name="slform"> <!--input name="locale" value="es_MX" type="hidden" /--> <fieldset><legend>Enter XML Request</legend> @@ -186,8 +186,8 @@ <p> <label for="appletPage">Applet Page</label> - <input type="radio" name="appletPage" value="BKUApplet" checked="checked">Default - <input type="radio" name="appletPage" value="BKUAppletAlternative">Alternative + <input type="radio" name="applet.jsp" value="BKUApplet" checked="checked">Default + <input type="radio" name="applet.jsp" value="BKUAppletAlternative">Alternative </p> <!-- <p> diff --git a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml index 0324030e..ab8be2b6 100644 --- a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml +++ b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml @@ -12,106 +12,252 @@ License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd">
- <bean id="STALFactory" class="at.gv.egiz.stal.service.impl.RequestBrokerSTALFactory"
- scope="singleton" />
+ <!-- configuration -->
+ <bean id="configurationResource"
+ class="org.springframework.web.context.support.ServletContextParameterFactoryBean">
+ <property name="initParamName" value="configurationResource" />
+ </bean>
+
+ <bean id="configuration" class="at.gv.egiz.bku.spring.ConfigurationFactoryBean">
+ <property name="configurationResource" ref="configurationResource" />
+ </bean>
+
+ <bean id="sslPKIProfile" class="at.gv.egiz.bku.spring.PKIProfileFactoryBean">
+ <property name="configuration" ref="configuration"/>
+ <property name="trustProfileId" value="SSL"/>
+ </bean>
+
+ <bean id="sslSocketFactory" class="at.gv.egiz.bku.spring.SSLSocketFactoryBean">
+ <property name="configuration" ref="configuration"/>
+ <property name="pkiProfile" ref="sslPKIProfile"/>
+ </bean>
+
+ <bean id="hostnameVerifier" class="at.gv.egiz.bku.spring.ConfigurableHostnameVerifier">
+ <property name="configuration" ref="configuration"/>
+ </bean>
- <bean id="accessController"
- class="at.gv.egiz.bku.online.accesscontroller.SpringSecurityManager"
- scope="singleton" init-method="init">
- <property name="config" ref="configurator" />
+ <bean id="urlDereferencer" class="at.gv.egiz.bku.utils.urldereferencer.URLDereferencerImpl"
+ factory-method="getInstance">
+ <property name="SSLSocketFactory" ref="sslSocketFactory"/>
+ <property name="hostnameVerifier" ref="hostnameVerifier"/>
+ </bean>
+
+ <!-- security manager for the command invoker -->
+ <bean id="securityManager" class="at.gv.egiz.bku.spring.SecurityManagerFactoryBean">
+ <property name="configuration" ref="configuration" />
</bean>
- <bean id="commandInvoker" class="at.gv.egiz.bku.binding.SLCommandInvokerImpl">
- <property name="securityManager" ref="accessController" />
+ <!-- command invoker -->
+ <bean id="slCommandInvoker" class="at.gv.egiz.bku.binding.SLCommandInvokerImpl">
+ <property name="securityManager" ref="securityManager" />
+ </bean>
+
+ <!-- Security Layer command factory -->
+
+ <bean id="abstractCommandFactory" class="at.gv.egiz.bku.slcommands.AbstractSLCommandFactory"
+ abstract="true">
+ <property name="configuration" ref="configuration"/>
+ </bean>
+
+ <bean id="certificatesInfoboxFactory"
+ class="at.gv.egiz.bku.slcommands.impl.CertificatesInfoboxFactory" />
+ <bean id="identityLinkInfoboxFactory"
+ class="at.gv.egiz.bku.slcommands.impl.IdentityLinkInfoboxFactory">
+ <property name="identityLinkTransformer">
+ <bean class="at.gv.egiz.idlink.IdentityLinkTransformer">
+ <property name="urlDereferencer" ref="urlDereferencer"/>
+ </bean>
+ </property>
+ </bean>
+ <bean id="cardChannelInfoboxFactory"
+ class="at.gv.egiz.bku.slcommands.impl.CardChannelInfoboxFactory" />
+ <bean id="svPersonendatenInfoboxFactory"
+ class="at.gv.egiz.bku.slcommands.impl.SVPersonendatenInfoboxFactory" />
+
+ <bean id="infoboxFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxFactory">
+ <property name="infoboxFactories">
+ <map>
+ <entry key="Certificates" value-ref="certificatesInfoboxFactory" />
+ <entry key="IdentityLink" value-ref="identityLinkInfoboxFactory" />
+ <entry key="CardChannel" value-ref="cardChannelInfoboxFactory" />
+ <entry key="SV-Personendaten" value-ref="svPersonendatenInfoboxFactory" />
+ </map>
+ </property>
+ </bean>
+
+ <bean id="nullOperationCommandFactory"
+ class="at.gv.egiz.bku.slcommands.impl.NullOperationCommandFactory"
+ parent="abstractCommandFactory" />
+ <bean id="nullOperationRequest" class="javax.xml.namespace.QName">
+ <constructor-arg
+ value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#" />
+ <constructor-arg value="NullOperationRequest" />
+ </bean>
+ <bean id="infoboxReadCommandFactory"
+ class="at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandFactory"
+ parent="abstractCommandFactory">
+ <property name="infoboxFactory" ref="infoboxFactory" />
+ </bean>
+ <bean id="infoboxReadRequest" class="javax.xml.namespace.QName">
+ <constructor-arg
+ value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#" />
+ <constructor-arg value="InfoboxReadRequest" />
+ </bean>
+ <bean id="infoboxUpdateCommandFactory"
+ class="at.gv.egiz.bku.slcommands.impl.InfoboxUpdateCommandFactory"
+ parent="abstractCommandFactory">
+ <property name="infoboxFactory" ref="infoboxFactory" />
+ </bean>
+ <bean id="infoboxUpdateRequest" class="javax.xml.namespace.QName">
+ <constructor-arg
+ value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#" />
+ <constructor-arg value="InfoboxUpdateRequest" />
+ </bean>
+ <bean id="createXMLSignatureCommandFactory"
+ class="at.gv.egiz.bku.slcommands.impl.CreateXMLSignatureCommandFactory"
+ parent="abstractCommandFactory" />
+ <bean id="createXMLSignatureRequest" class="javax.xml.namespace.QName">
+ <constructor-arg
+ value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#" />
+ <constructor-arg value="CreateXMLSignatureRequest" />
+ </bean>
+ <bean id="getStatusCommandFactory" class="at.gv.egiz.bku.slcommands.impl.GetStatusCommandFactory"
+ parent="abstractCommandFactory" />
+ <bean id="getStatusRequest" class="javax.xml.namespace.QName">
+ <constructor-arg
+ value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#" />
+ <constructor-arg value="GetStatusRequest" />
</bean>
<bean id="slCommandFactory" class="at.gv.egiz.bku.slcommands.SLCommandFactory"
factory-method="getInstance">
- <property name="commandImpl">
+ <property name="concreteFactories">
<map>
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:NullOperationRequest"
- value="at.gv.egiz.bku.slcommands.impl.NullOperationCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:InfoboxReadRequest"
- value="at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:InfoboxUpdateRequest"
- value="at.gv.egiz.bku.slcommands.impl.InfoboxUpdateCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:CreateXMLSignatureRequest"
- value="at.gv.egiz.bku.slcommands.impl.CreateXMLSignatureCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:GetStatusRequest"
- value="at.gv.egiz.bku.slcommands.impl.GetStatusCommandImpl" />
+ <entry key-ref="nullOperationRequest" value-ref="nullOperationCommandFactory" />
+ <entry key-ref="infoboxReadRequest" value-ref="infoboxReadCommandFactory" />
+ <entry key-ref="infoboxUpdateRequest" value-ref="infoboxUpdateCommandFactory" />
+ <entry key-ref="createXMLSignatureRequest" value-ref="createXMLSignatureCommandFactory" />
+ <entry key-ref="getStatusRequest" value-ref="getStatusCommandFactory" />
</map>
</property>
+ <!--
+ The following properties may be used to introduce additional XML
+ schemas and binding classes to the command factory.
+ -->
+ <!--
+ If property jaxbContextPackageNames is not set the default JAXBContext
+ is created with the package names given below.
+ -->
+ <!--
+ <property name="jaxbContextPackageNames">
+ <list>
+ <value>at.buergerkarte.namespaces.securitylayer._1</value>
+ <value>org.w3._2000._09.xmldsig_</value>
+ <value>at.buergerkarte.namespaces.cardchannel</value>
+ <value>at.buergerkarte.namespaces.securitylayer._20020225_</value>
+ <value>at.buergerkarte.namespaces.securitylayer._20020831_</value>
+ </list>
+ </property>
+ -->
+ <!--
+ If property schemaUrls is not set the default schema is created from
+ the URLs listed below.
+ -->
+ <!--
+ <property name="schemaUrls">
+ <list>
+ <value>classpath:at/gv/egiz/bku/slschema/xml.xsd</value>
+ <value>classpath:at/gv/egiz/bku/slschema/xmldsig-core-schema.xsd</value>
+ <value>classpath:at/gv/egiz/bku/slschema/Core-1.2.xsd</value>
+ <value>classpath:at/gv/egiz/bku/slschema/Core.20020225.xsd</value>
+ <value>classpath:at/gv/egiz/bku/slschema/Core.20020831.xsd</value>
+ </list>
+ </property>
+ -->
</bean>
- <bean id="infoboxFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxFactory"
- factory-method="getInstance">
- <property name="infoboxImpl">
- <map>
- <entry
- key="Certificates"
- value="at.gv.egiz.bku.slcommands.impl.CertificatesInfoboxImpl" />
- <entry
- key="IdentityLink"
- value="at.gv.egiz.bku.slcommands.impl.IdentityLinkInfoboxImpl" />
- <entry
- key="CardChannel"
- value="at.gv.egiz.bku.slcommands.impl.CardChannelInfoboxImpl" />
- <entry
- key="SV-Personendaten"
- value="at.gv.egiz.bku.slcommands.impl.SVPersonendatenInfoboxImpl" />
- </map>
- </property>
+ <!-- STAL factory -->
+ <bean id="stalFactory" class="at.gv.egiz.stal.service.impl.RequestBrokerSTALFactory"
+ scope="singleton">
+ <property name="configuration" ref="configuration" />
+ </bean>
+
+ <!-- binding processor factories -->
+ <bean id="httpBindingProcessorFactory" class="at.gv.egiz.bku.binding.HTTPBindingProcessorFactory">
+ <property name="configuration" ref="configuration" />
+ <property name="urlDereferencer" ref="urlDereferencer" />
+ <property name="sslSocketFactory" ref="sslSocketFactory" />
+ <property name="hostnameVerifier" ref="hostnameVerifier" />
+ <property name="slCommandFactory" ref="slCommandFactory" />
+ </bean>
+ <bean id="samlBindingProcessorFactory" class="at.gv.egiz.mocca.id.SAMLBindingProcessorFactory">
+ <property name="configuration" ref="configuration" />
+ <property name="slCommandFactory" ref="slCommandFactory" />
+ <property name="urlDereferencer" ref="urlDereferencer" />
</bean>
+ <!-- binding processor manager -->
<bean id="bindingProcessorManager" class="at.gv.egiz.bku.binding.BindingProcessorManagerImpl"
scope="singleton">
- <constructor-arg ref="STALFactory"></constructor-arg>
- <constructor-arg ref="commandInvoker"></constructor-arg>
- <constructor-arg ref="configuration"></constructor-arg>
+ <property name="stalFactory" ref="stalFactory" />
+ <property name="slCommandInvoker" ref="slCommandInvoker" />
+ <property name="factories">
+ <list>
+ <ref bean="httpBindingProcessorFactory"/>
+ <ref bean="samlBindingProcessorFactory"/>
+ </list>
+ </property>
</bean>
- <!-- TODO DataURL bean with configuration injected -->
-
- <bean
+ <bean id="attributeExporter"
class="org.springframework.web.context.support.ServletContextAttributeExporter">
<property name="attributes">
<map>
- <entry key="bindingProcessorManager">
- <ref bean="bindingProcessorManager" />
- </entry>
+ <entry key="bindingProcessorManager" value-ref="bindingProcessorManager"/>
</map>
</property>
</bean>
- <!-- Configure Configuration -->
- <bean id="certValidator" class="at.gv.egiz.bku.conf.CertValidatorImpl"></bean>
-
-
- <bean id="configurator" class="at.gv.egiz.bku.online.conf.SpringConfigurator"
- init-method="configure" scope="singleton">
- <property name="resource"
- value="classpath:at/gv/egiz/bku/online/conf/defaultConf.properties" />
- <property name="certValidator" ref="certValidator"></property>
- </bean>
-
<!-- Shutdown Event handler -->
- <bean id="shutdown" class="at.gv.egiz.bku.online.webapp.ShutdownHandler">
- <property name="bindingProcessorManager" ref="bindingProcessorManager"></property>
+ <bean id="shutdownHandler" class="at.gv.egiz.bku.online.webapp.ShutdownHandler">
+ <property name="bindingProcessorManager" ref="bindingProcessorManager" />
</bean>
+
+ <!-- JMX -->
+ <bean
+ class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+ <property name="properties">
+ <map>
+ <entry key="contextPath">
+ <bean class="at.gv.egiz.bku.online.spring.ServletContextPathFactoryBean"/>
+ </entry>
+ </map>
+ </property>
+ </bean>
- <!-- Begin MOCCA Configuration [REFACTORED]
- | Configuration beans (no conf properties file) should be injected directly
- | to module configurators (at.gv.egiz.bku.X.conf.Configuration).
- | Currently, only configuration items are considered.
- |-->
- <import resource="mocca-conf.xml"/>
+ <bean id="mbeanServer" class="org.springframework.jmx.support.MBeanServerFactoryBean">
+ <property name="locateExistingServerIfPossible" value="true" />
+ </bean>
+
+ <bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
+ <property name="server" ref="mbeanServer"/>
+ <property name="beans">
+ <map>
+ <entry
+ key="at.gv.egiz.mocca:type=bindingProcessorManager,contextPath=${contextPath},name=HTTP"
+ value-ref="bindingProcessorManager" />
+ <entry
+ key="at.gv.egiz.mocca:type=stalFactory,contextPath=${contextPath},name=RequestBrocker"
+ value-ref="stalFactory" />
+ <entry
+ key="at.gv.egiz.mocca:type=slCommandInvoker,contextPath=${contextPath},name=CommandInvoker"
+ value-ref="slCommandInvoker" />
+ </map>
+ </property>
+ </bean>
+
</beans>
\ No newline at end of file diff --git a/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml b/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml new file mode 100644 index 00000000..20d27bb0 --- /dev/null +++ b/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml @@ -0,0 +1,10 @@ +<?xml version="1.0" encoding="UTF-8"?> +<MoccaConfiguration version="1.0"> + <DataURLConnection> + <!-- + The maximum number of consecutive Security Layer requests received + from DataURL server before execution is aborted. + --> + <MaxHops>50</MaxHops> + </DataURLConnection> +</MoccaConfiguration>
\ No newline at end of file diff --git a/BKUOnline/src/main/webapp/WEB-INF/mocca-conf.xml b/BKUOnline/src/main/webapp/WEB-INF/mocca-conf.xml deleted file mode 100644 index 5c96dc58..00000000 --- a/BKUOnline/src/main/webapp/WEB-INF/mocca-conf.xml +++ /dev/null @@ -1,51 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Copyright 2008 Federal Chancellery Austria and - Graz University of Technology - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> - -<!-- - | User configuration file. (defaultConf.properties is migrated to this file) ---> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd - http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd"> - - <!-- BKU Common (ie. main) Configuration --> - <bean id="configuration" class="at.gv.egiz.bku.conf.Configuration"> - <property name="maxDataUrlHops" value="50"/> - - <!-- TODO refactor DataURL and inject this bkuCommonConfig to DataURL --> - <!-- TODO inject bkuCommonConfig to SpringBKUServlet and SpringSecurityManager - | and replace SpringConfigurator --> - <!-- used to construct the User-Agent HTTP header - <property name="implementationName" value="MOCCA"/> - <property name="implementationVersion" value="1.0"/--> - </bean> - - <!-- - | ReaderFactory configuration not available in Applet - | - <bean id="smccConfiguration" class="at.gv.egiz.smcc.conf.SMCCConfiguration"> - <property name="disablePinpad" value="true"/> - </bean> - - <bean id="readerFactory" class="at.gv.egiz.smcc.reader.ReaderFactory"> - <property name="configuration" ref="smccConfiguration"/> - </bean> - |--> - -</beans> diff --git a/BKUOnline/src/main/webapp/WEB-INF/web.xml b/BKUOnline/src/main/webapp/WEB-INF/web.xml index 41cd400f..13ed30ee 100644 --- a/BKUOnline/src/main/webapp/WEB-INF/web.xml +++ b/BKUOnline/src/main/webapp/WEB-INF/web.xml @@ -15,19 +15,23 @@ <web-app id="bkuonline" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <display-name>http-security-layer-request</display-name> - <!-- Begin Spring Config --> - <context-param> - <param-name>contextConfigLocation</param-name> - <param-value>/WEB-INF/applicationContext.xml</param-value> - </context-param> <listener> - <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> + <listener-class>at.gv.egiz.bku.online.webapp.MoccaContextListener</listener-class> </listener> + + <!-- Begin Spring Config --> + <listener> + <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> + </listener> + <context-param> + <param-name>configurationResource</param-name> + <param-value></param-value> + </context-param> <!-- End Spring Config --> <!-- Begin BKU Config --> <listener> - <listener-class>at.gv.egiz.bku.online.webapp.SessionTimeout</listener-class> + <listener-class>at.gv.egiz.bku.online.webapp.SessionListener</listener-class> </listener> <listener> <listener-class>com.sun.xml.ws.transport.http.servlet.WSServletContextListener</listener-class> @@ -37,6 +41,14 @@ <servlet-class>at.gv.egiz.bku.online.webapp.BKURequestHandler</servlet-class> </servlet> <servlet> + <servlet-name>SAMLServlet</servlet-name> + <servlet-class>at.gv.egiz.mocca.id.SAMLRequestHandler</servlet-class> + </servlet> + <servlet> + <servlet-name>DataURLServlet</servlet-name> + <servlet-class>at.gv.egiz.mocca.id.DataURLServerServlet</servlet-class> + </servlet> + <servlet> <servlet-name>ResultServlet</servlet-name> <servlet-class>at.gv.egiz.bku.online.webapp.ResultServlet</servlet-class> <init-param> @@ -45,31 +57,39 @@ </init-param> <init-param> <param-name>expiredPage</param-name> - <!-- FIXME --> <param-value>expired.html</param-value> </init-param> </servlet> - <servlet> - <servlet-name>BKUApplet</servlet-name> - <jsp-file>/applet.jsp</jsp-file> - </servlet> - <servlet> - <servlet-name>STALService</servlet-name> - <servlet-class>com.sun.xml.ws.transport.http.servlet.WSServlet</servlet-class> - <load-on-startup>1</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>BKUServlet</servlet-name> - <url-pattern>/http-security-layer-request</url-pattern> - </servlet-mapping> + <servlet> + <servlet-name>STALService</servlet-name> + <servlet-class>com.sun.xml.ws.transport.http.servlet.WSServlet</servlet-class> + <load-on-startup>1</load-on-startup> + </servlet> + <servlet-mapping> + <servlet-name>BKUServlet</servlet-name> + <url-pattern>/http-security-layer-request</url-pattern> + </servlet-mapping> <servlet-mapping> <servlet-name>BKUServlet</servlet-name> <url-pattern>/https-security-layer-request</url-pattern> </servlet-mapping> <servlet-mapping> + <servlet-name>DataURLServlet</servlet-name> + <url-pattern>/DataURLServer</url-pattern> + </servlet-mapping> + <servlet-mapping> <servlet-name>ResultServlet</servlet-name> <url-pattern>/bkuResult</url-pattern> </servlet-mapping> + <servlet-mapping> + <servlet-name>SAMLServlet</servlet-name> + <url-pattern>/moccaid</url-pattern> + </servlet-mapping> + <servlet-mapping> + <servlet-name>DataURLServlet</servlet-name> + <url-pattern>/DataURLServer</url-pattern> + </servlet-mapping> + <!-- | Configure alternative applet pages that may be requested diff --git a/BKUOnline/src/main/webapp/applet.jsp b/BKUOnline/src/main/webapp/applet.jsp index 582bee7e..3b284496 100644 --- a/BKUOnline/src/main/webapp/applet.jsp +++ b/BKUOnline/src/main/webapp/applet.jsp @@ -79,14 +79,50 @@ %> <body id="appletpage" style="width:<%=width%>px"> + + + <div id="container" style="float: left; width: <%= width %>"> + + <form name="increaseform" action="javascript:increaseSize()" method="get"> + + <!-- increase font size image --> + <input type="image" src="img/inc.png" alt="Text vergrößern" width="13px" height="18px" style="float: left;" id="increase_image"/> + + </form> + + + <form name="decreaseform" action="javascript:decreaseSize()" method="get"> + + <!-- decrease font size image --> + <input type="image" src="img/dec.png" alt="Text verkleinern" width="13px" height="18px" style="float: left;" id="decrease_image"/> + + </form> + + + + <form name="helpform" action="help/index.html" method="get" target="_new" + onsubmit="this.action=document.moccaapplet.getHelpURL(); this.submit(); return false;"> + + <!-- invisible input --> + <input type="image" src="img/help.png" alt=" " width="0px" height="0px" style="float: left;" onFocus="focusToApplet()"/> + + <!-- help image --> + <input type="image" src="img/help.png" alt="Hilfe" width="13px" height="18px" style="float: right;" id="helpimage"/> + + + </form> + + + <script type="text/javascript"> + if (!deployJava.versionCheck('1.6.0_04+')) { - document.write('<p>Diese Anwendung benötigt Version 6 Update 4 oder höher der <a href="" onclick="deployJava.installLatestJRE();">Java™ Laufzeitumgebung</a>.</p>'); + document.write('<p>Diese Anwendung benötigt Version 6 Update 4 oder höher der <a href="" onclick="deployJava.installLatestJRE();">Java™ Laufzeitumgebung</a>.</p>'); } else { var attributes = { codebase :'<%=codebase%>', code : '<%=appletClass%>', - archive : '<%=appletArchive +".jar, commons-logging.jar, iaik_jce_me4se.jar"%>', + archive : '<%=appletArchive +".jar"%>', width : <%=width%>, height :<%=height%>, name : 'moccaapplet', @@ -106,6 +142,98 @@ }; deployJava.runApplet(attributes, parameters, '1.6.0_04'); } + </script> + + + + </div> + </body> + + <script> + + + + function focusToBrowser() { + + // put focus to window + // focus can be assigned to any focusable field on the embedding website + + //alert("Put focus to browser.."); + //self.focus(); + document.getElementById("helpimage").focus(); + + } + + function focusToApplet() { + + //alert('try to set focus to applet'); + if (document != null && document.moccaapplet != null) { + + //alert('set focus to applet.'); + document.moccaapplet.getFocusFromBrowser(); + return true; + } + } + + + function increaseSize() { + + var appwidth = document.moccaapplet.width; + var appheight = document.moccaapplet.height; + + document.moccaapplet.width = (appwidth * 1.2); + document.moccaapplet.height = (appheight * 1.2); + + document.getElementById("container").style.width = (appwidth * 1.2); + + // TODO: This does not work in firefox, seems that width and height attributes cannot be read + // and set from input of type image + var image_width = document.getElementById("increase_image").width; + var image_height = document.getElementById("increase_image").height; + + + document.getElementById("helpimage").width = (image_width * 1.2); + document.getElementById("helpimage").height = (image_height * 1.2); + + document.getElementById("increase_image").width = (image_width * 1.2); + document.getElementById("increase_image").height = (image_height * 1.2); + + document.getElementById("decrease_image").width = (image_width * 1.2); + document.getElementById("decrease_image").height = (image_height * 1.2); + + + } + + function decreaseSize() { + + var appwidth = document.moccaapplet.width; + var appheight = document.moccaapplet.height; + + document.moccaapplet.width = (appwidth * 0.8333333333333); + document.moccaapplet.height = (appheight * 0.8333333333333); + + document.getElementById("container").style.width = (appwidth * 0.8333333333333); + + // TODO: This does not work in firefox, seems that width and height attributes cannot be read + // and set from input of type image + var image_width = document.getElementById("increase_image").width; + var image_height = document.getElementById("increase_image").height; + + + document.getElementById("helpimage").width = (image_width * 0.8333333333333); + document.getElementById("helpimage").height = (image_height * 0.8333333333333); + + document.getElementById("increase_image").width = (image_width * 0.8333333333333); + document.getElementById("increase_image").height = (image_height * 0.8333333333333); + + document.getElementById("decrease_image").width = (image_width * 0.8333333333333); + document.getElementById("decrease_image").height = (image_height * 0.8333333333333); + + + } + + </script> + </html> diff --git a/BKUOnline/src/main/webapp/img/dec.png b/BKUOnline/src/main/webapp/img/dec.png Binary files differnew file mode 100644 index 00000000..87693cf4 --- /dev/null +++ b/BKUOnline/src/main/webapp/img/dec.png diff --git a/BKUOnline/src/main/webapp/img/help.png b/BKUOnline/src/main/webapp/img/help.png Binary files differnew file mode 100644 index 00000000..5d6da3bf --- /dev/null +++ b/BKUOnline/src/main/webapp/img/help.png diff --git a/BKUOnline/src/main/webapp/img/inc.png b/BKUOnline/src/main/webapp/img/inc.png Binary files differnew file mode 100644 index 00000000..26e58b80 --- /dev/null +++ b/BKUOnline/src/main/webapp/img/inc.png diff --git a/BKUOnline/src/main/webapp/local.jsp b/BKUOnline/src/main/webapp/local.jsp new file mode 100644 index 00000000..48d62674 --- /dev/null +++ b/BKUOnline/src/main/webapp/local.jsp @@ -0,0 +1,63 @@ +<!-- + Copyright 2008 Federal Chancellery Austria and + Graz University of Technology + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<%@ page language="java" contentType="text/html; charset=UTF-8" + pageEncoding="UTF-8" + import="at.gv.egiz.bku.online.webapp.AppletDispatcher,org.apache.commons.lang.RandomStringUtils,org.apache.commons.lang.StringEscapeUtils" %> + +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> + <title>MOCCA</title> + <link rel="shortcut icon" href="img/chip16.ico" type="image/x-icon"> + <style type="text/css" media="all">@import "css/applet.css";</style> + + <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> + <META HTTP-EQUIV="EXPIRES" CONTENT="Mon, 22 Jul 2002 11:12:01 GMT"> + <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> + </head> + <% + int width = session.getAttribute("appletWidth") == null ? 190 + : (Integer) session.getAttribute("appletWidth"); + int height = session.getAttribute("appletHeight") == null ? 130 + : (Integer) session.getAttribute("appletHeight"); + String backgroundImg = StringEscapeUtils.escapeJavaScript(session + .getAttribute("appletBackground") == null ? "../img/chip32.png" + : (String) session.getAttribute("appletBackground")); + String backgroundColor = StringEscapeUtils + .escapeJavaScript((String) session + .getAttribute("appletBackgroundColor")); + + String sessionId = StringEscapeUtils.escapeJavaScript(session.getId()); + + String dataURL = request.getRequestURL().toString(); + dataURL = dataURL.substring(0, dataURL.lastIndexOf('/')) + "/DataURLServer"; + %> + <body id="appletpage" style="width:<%=width%>px;height:<%=height%>px"> + <div style="width:<%=width%>px;height:<%=height%>px"> + <form action="http://127.0.0.1:3495/http-security-layer-request" method="post" enctype="application/x-www-form-urlencoded"> + <input name="SessionID_" value="<%=sessionId%>" type="hidden"/> + <input name="DataURL" value="<%=dataURL%>" id="DataURL" type="hidden"/> + <input name="XMLRequest" value="<NullOperationRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'/>" type="hidden"/> + <p>Anfrage wird an lokale BKU gesendet</p> + <div style="text-align: center;"> + <input type="submit" style="vertical-align: middle"/> + </div> + </form> + </div> + </body> +</html> |