From b1c8641a63a67e3c64d948f9e8dce5c01e11e2dd Mon Sep 17 00:00:00 2001 From: mcentner Date: Wed, 5 May 2010 15:29:01 +0000 Subject: Merged feature branch mocca-1.2.13-id@r724 back to trunk. git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@725 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../accesscontroller/SpringSecurityManager.java | 63 ---- .../egiz/bku/online/conf/SpringConfigurator.java | 127 ------- .../spring/ServletContextPathFactoryBean.java | 49 +++ .../online/webapp/AbstractWebRequestHandler.java | 327 ++++++++++++++++ .../egiz/bku/online/webapp/AppletDispatcher.java | 13 +- .../egiz/bku/online/webapp/BKURequestHandler.java | 289 +-------------- .../bku/online/webapp/MoccaContextListener.java | 128 +++++++ .../gv/egiz/bku/online/webapp/ResultServlet.java | 121 +++--- .../gv/egiz/bku/online/webapp/SessionListener.java | 47 +++ .../gv/egiz/bku/online/webapp/SessionTimeout.java | 49 --- .../gv/egiz/bku/online/webapp/ShutdownHandler.java | 96 ++--- .../egiz/bku/online/webapp/SpringBKUServlet.java | 8 +- .../AbstractCommandSequenceBindingProcessor.java | 123 ++++++ .../at/gv/egiz/mocca/id/DataURLServerServlet.java | 225 +++++++++++ .../src/main/java/at/gv/egiz/mocca/id/IdLink.java | 346 +++++++++++++++++ .../java/at/gv/egiz/mocca/id/IdLinkException.java | 43 +++ .../java/at/gv/egiz/mocca/id/IdLinkFactory.java | 154 ++++++++ .../at/gv/egiz/mocca/id/IdLinkKeySelector.java | 88 +++++ .../java/at/gv/egiz/mocca/id/IdLinkPersonData.java | 76 ++++ .../at/gv/egiz/mocca/id/PersonalIdentifier.java | 81 ++++ .../java/at/gv/egiz/mocca/id/QESTemplates.java | 115 ++++++ .../egiz/mocca/id/SAMLBindingProcessorFactory.java | 44 +++ .../gv/egiz/mocca/id/SAMLBindingProcessorImpl.java | 357 ++++++++++++++++++ .../at/gv/egiz/mocca/id/SAMLRequestHandler.java | 33 ++ .../java/at/gv/egiz/mocca/id/SLCommandBrocker.java | 100 +++++ .../service/impl/RequestBrokerSTALFactory.java | 49 ++- .../stal/service/impl/STALRequestBrokerImpl.java | 24 +- .../gv/egiz/stal/service/impl/STALServiceImpl.java | 385 ++++++++++--------- .../stal/service/impl/STALXJAXBContextFactory.java | 7 +- .../egiz/stal/service/impl/TestSignatureData.java | 7 +- BKUOnline/src/main/policy/50mocca.policy | 229 +++++------- BKUOnline/src/main/policy/catalina.policy | 411 +++++++++++++++++++++ .../egiz/bku/online/conf/accessControlConfig.xml | 84 ----- .../at/gv/egiz/mocca/id/idlschema/PersonData.xsd | 57 +++ .../oasis-sstc-saml-schema-assertion-1.0.xsd | 105 ++++++ .../mocca/id/idlschema/xmldsig-core-schema.xsd | 308 +++++++++++++++ .../at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd | 147 ++++++++ .../src/main/resources/commons-logging.properties | 16 - BKUOnline/src/main/resources/log4j.properties | 7 +- BKUOnline/src/main/webapp/IDRequestForm.html | 71 ++++ BKUOnline/src/main/webapp/PINManagement.jsp | 82 +++- BKUOnline/src/main/webapp/SLRequestForm.html | 6 +- .../src/main/webapp/WEB-INF/applicationContext.xml | 288 +++++++++++---- .../src/main/webapp/WEB-INF/conf/configuration.xml | 10 + BKUOnline/src/main/webapp/WEB-INF/mocca-conf.xml | 51 --- BKUOnline/src/main/webapp/WEB-INF/web.xml | 62 ++-- BKUOnline/src/main/webapp/applet.jsp | 132 ++++++- BKUOnline/src/main/webapp/img/dec.png | Bin 0 -> 6311 bytes BKUOnline/src/main/webapp/img/help.png | Bin 0 -> 303 bytes BKUOnline/src/main/webapp/img/inc.png | Bin 0 -> 7198 bytes BKUOnline/src/main/webapp/local.jsp | 63 ++++ .../at/gv/egiz/bku/online/conf/SSLConfigTest.java | 40 -- .../egiz/stal/service/STALRequestBrokerTest.java | 7 +- .../src/test/resources/commons-logging.properties | 16 - BKUOnline/src/test/resources/templates/empty.xml | 2 + .../src/test/resources/templates/template.xsl | 88 +++++ 56 files changed, 4546 insertions(+), 1310 deletions(-) delete mode 100644 BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java delete mode 100644 BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionListener.java delete mode 100644 BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionTimeout.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java create mode 100644 BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java create mode 100644 BKUOnline/src/main/policy/catalina.policy delete mode 100644 BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml create mode 100644 BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/PersonData.xsd create mode 100644 BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd create mode 100644 BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd create mode 100644 BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd delete mode 100644 BKUOnline/src/main/resources/commons-logging.properties create mode 100644 BKUOnline/src/main/webapp/IDRequestForm.html create mode 100644 BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml delete mode 100644 BKUOnline/src/main/webapp/WEB-INF/mocca-conf.xml create mode 100644 BKUOnline/src/main/webapp/img/dec.png create mode 100644 BKUOnline/src/main/webapp/img/help.png create mode 100644 BKUOnline/src/main/webapp/img/inc.png create mode 100644 BKUOnline/src/main/webapp/local.jsp delete mode 100644 BKUOnline/src/test/java/at/gv/egiz/bku/online/conf/SSLConfigTest.java delete mode 100644 BKUOnline/src/test/resources/commons-logging.properties create mode 100644 BKUOnline/src/test/resources/templates/empty.xml create mode 100644 BKUOnline/src/test/resources/templates/template.xsl (limited to 'BKUOnline/src') diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java deleted file mode 100644 index 5795478b..00000000 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java +++ /dev/null @@ -1,63 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.online.accesscontroller; - -import java.io.IOException; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.springframework.context.ResourceLoaderAware; -import org.springframework.core.io.Resource; -import org.springframework.core.io.ResourceLoader; - -import at.gv.egiz.bku.accesscontroller.SecurityManagerFacade; -import at.gv.egiz.bku.conf.Configurator; - -public class SpringSecurityManager extends SecurityManagerFacade implements - ResourceLoaderAware { - - private ResourceLoader resourceLoader; - - private static Log log = LogFactory.getLog(SpringSecurityManager.class); - - protected Configurator config; - - public void setConfig(Configurator config) { - this.config = config; - } - - public void init() { - String noMatch = config.getProperty("AccessController.acceptNoMatch"); - if (noMatch != null) { - log.debug("Setting allow now match to: " + noMatch); - setAllowUnmatched(Boolean.getBoolean(noMatch)); - } - String policy = config.getProperty("AccessController.policyResource"); - log.info("Loading resource: " + policy); - try { - Resource res = resourceLoader.getResource(policy); - init(res.getInputStream()); - } catch (IOException e) { - log.error(e); - } - } - - @Override - public void setResourceLoader(ResourceLoader loader) { - this.resourceLoader = loader; - } -} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java deleted file mode 100644 index 6030c1c0..00000000 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright 2008 Federal Chancellery Austria and - * Graz University of Technology - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package at.gv.egiz.bku.online.conf; - -import java.io.File; -import java.io.IOException; -import java.io.InputStream; -import java.util.Properties; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.springframework.context.ResourceLoaderAware; -import org.springframework.core.io.Resource; -import org.springframework.core.io.ResourceLoader; - -import at.gv.egiz.bku.conf.Configurator; -import at.gv.egiz.bku.online.webapp.SpringBKUServlet; -import at.gv.egiz.bku.slexceptions.SLRuntimeException; -import at.gv.egiz.stal.service.impl.RequestBrokerSTALFactory; - -public class SpringConfigurator extends Configurator implements - ResourceLoaderAware { - - private final static Log log = LogFactory.getLog(SpringConfigurator.class); - - private ResourceLoader resourceLoader; - - public void setResource(Resource resource) { - log.debug("Loading config from: " + resource); - if (resource != null) { - Properties props = new Properties(); - try { - props.load(resource.getInputStream()); - super.setConfiguration(props); - } catch (IOException e) { - log.error("Cannot load config", e); - } - } else { - log.warn("Cannot load properties, resource: " + resource); - } - } - - public void configureNetwork() { - super.configureNetwork(); - String appletTimeout = getProperty("AppletTimeout"); - if ((appletTimeout != null)) { - try { - long ato = Long.parseLong(appletTimeout); - log.debug("Setting applet timeout to:"+ato); - RequestBrokerSTALFactory.setTimeout(ato); - } catch (NumberFormatException nfe) { - log.error("Cannot set Applettimeout", nfe); - } - - } - } - - public void configure() { - super.configure(); - SpringBKUServlet.setConfigurator(this); - } - - @Override - public void setResourceLoader(ResourceLoader loader) { - this.resourceLoader = loader; - } - - private File getDirectory(String property) { - if (property != null) { - Resource certDirRes = resourceLoader.getResource(property); - File certDir; - try { - certDir = certDirRes.getFile(); - } catch (IOException e) { - log.error("Cannot get cert directory", e); - throw new SLRuntimeException(e); - } - if (!certDir.isDirectory()) { - log.error("Expecting directory as SSL.certDirectory parameter"); - throw new SLRuntimeException( - "Expecting directory as SSL.certDirectory parameter"); - } - return certDir; - } - return null; - - } - - @Override - protected File getCADir() { - String caDirectory = getProperty("SSL.caDirectory"); - return getDirectory(caDirectory); - } - - @Override - protected File getCertDir() { - String certDirectory = getProperty("SSL.certDirectory"); - return getDirectory(certDirectory); - } - - @Override - protected InputStream getManifest() { - Resource r = resourceLoader.getResource("META-INF/MANIFEST.MF"); - if (r != null) { - try { - return r.getInputStream(); - } catch (IOException e) { - log.error("Cannot read manifest data:", e); - } - } - return null; - } -} \ No newline at end of file diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java new file mode 100644 index 00000000..27dfcd92 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java @@ -0,0 +1,49 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.online.spring; + +import javax.servlet.ServletContext; + +import org.springframework.beans.factory.FactoryBean; +import org.springframework.web.context.ServletContextAware; + +public class ServletContextPathFactoryBean implements FactoryBean, ServletContextAware { + + private String contextPath; + + @Override + public void setServletContext(ServletContext servletContext) { + contextPath = servletContext.getContextPath(); + } + + @Override + public Object getObject() throws Exception { + return contextPath; + } + + @Override + public Class getObjectType() { + return String.class; + } + + @Override + public boolean isSingleton() { + return true; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java new file mode 100644 index 00000000..019b8efe --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java @@ -0,0 +1,327 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.online.webapp; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.Arrays; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Locale; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.slf4j.MDC; + +import at.gv.egiz.bku.binding.HTTPBindingProcessor; +import at.gv.egiz.bku.binding.HttpUtil; +import at.gv.egiz.bku.binding.Id; +import at.gv.egiz.bku.binding.IdFactory; +import at.gv.egiz.bku.binding.InputDecoderFactory; +import at.gv.egiz.bku.utils.StreamUtil; +import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage; + +public abstract class AbstractWebRequestHandler extends SpringBKUServlet { + + private static final long serialVersionUID = 1L; + + public static final String APPLET_PAGE_P = "appletPage"; + public static final String APPLET_PAGE_DEFAULT = "applet.jsp"; + + public static final String PARAM_APPLET_WIDTH = "appletWidth"; + public static final String ATTR_APPLET_WIDTH = "appletWidth"; + + public static final String PARAM_APPLET_HEIGHT = "appletHeight"; + public static final String ATTR_APPLET_HEIGHT = "appletHeight"; + + public static final String PARAM_APPLET_BACKGROUND = "appletBackground"; + public static final String ATTR_APPLET_BACKGROUND = "appletBackground"; + + public static final String PARAM_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; + public static final String ATTR_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; + + public static final Pattern PATTERM_APPLET_BACKGROUND_COLOR = Pattern.compile("\\#[0-9a-fA-F]{6}"); + public static final String PARAM_APPLET_GUI_STYLE = "appletGuiStyle"; + public static final String ATTR_APPLET_GUI_STYLE = "appletGuiStyle"; + + public static final String[] VALUES_APPLET_GUI_STYLE = new String[] {"tiny", "simple", "advanced"}; + public static final String PARAM_APPLET_EXTENSION = "appletExtension"; + public static final String ATTR_APPLET_EXTENSION = "appletExtension"; + + public static final String[] VALUES_APPLET_EXTENSION = new String[] {"pin", "activation"}; + public static final String PARAM_LOCALE = "locale"; + public static final String ATTR_LOCALE = "locale"; + + public static final Pattern PATTERN_LOCALE = Pattern.compile("[a-zA-Z][a-zA-Z](_[a-zA-Z][a-zA-Z]){0,2}"); + public static final String REDIRECT_URL_SESSION_ATTRIBUTE = "redirectUrl"; + + private final Logger log = LoggerFactory.getLogger(BKURequestHandler.class); + + protected static String getStringFromStream(InputStream is, String encoding) + throws IOException { + if (is == null) { + return null; + } + if (encoding == null) { + encoding = HttpUtil.DEFAULT_CHARSET; + } + ByteArrayOutputStream os = new ByteArrayOutputStream(); + StreamUtil.copyStream(is, os); + return new String(os.toByteArray(), encoding); + } + + protected abstract String getRequestProtocol(HttpServletRequest req); + + protected HTTPBindingProcessor getBindingProcessor(Id id, HttpServletRequest req, Locale locale) { + + // remove existing binding processor if present + getBindingProcessorManager().removeBindingProcessor(id); + + // create new binding processor + return (HTTPBindingProcessor) getBindingProcessorManager().createBindingProcessor(getRequestProtocol(req), locale); + + } + + @Override + protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, + java.io.IOException { + + String msg = (req.getSession(false) == null) ? "New session created." + : "Session already established."; + + Id id = IdFactory.getInstance().createId(req.getSession().getId()); + MDC.put("id", id.toString()); + + String acceptLanguage = req.getHeader("Accept-Language"); + Locale locale = AcceptLanguage.getLocale(acceptLanguage); + + if (log.isInfoEnabled()) { + log.info("Recieved request (Accept-Language locale: {}). {}", locale, msg); + } + + try { + + HTTPBindingProcessor bindingProcessor = getBindingProcessor(id, req, locale); + + Map headerMap = new HashMap(); + for (Enumeration headerName = req.getHeaderNames(); headerName + .hasMoreElements();) { + String header = (String) headerName.nextElement(); + if (header != null) { + headerMap.put(header, req.getHeader(header)); + } + } + + InputStream inputStream; + String charset; + if (req.getMethod().equals("POST")) { + charset = req.getCharacterEncoding(); + String contentType = req.getContentType(); + if (charset != null) { + contentType += ";" + charset; + } + headerMap.put(HttpUtil.HTTP_HEADER_CONTENT_TYPE, contentType); + inputStream = req.getInputStream(); + } else { + charset = "UTF-8"; + headerMap.put(HttpUtil.HTTP_HEADER_CONTENT_TYPE, + InputDecoderFactory.URL_ENCODED); + String queryString = req.getQueryString(); + if (queryString != null) { + inputStream = new ByteArrayInputStream(queryString.getBytes(charset)); + } else { + inputStream = new ByteArrayInputStream(new byte[] {}); + } + } + bindingProcessor.setHTTPHeaders(headerMap); + bindingProcessor.consumeRequestStream(req.getRequestURL().toString(), + inputStream); + + req.getInputStream().close(); + getBindingProcessorManager().process(id, bindingProcessor); + + HttpSession session = req.getSession(); + + log.trace("Looking for applet parameters in request."); + + // appletWidth + String width = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_WIDTH), charset); + if (width != null && !width.isEmpty()) { + try { + // must be a valid integer + session.setAttribute(ATTR_APPLET_WIDTH, Integer.parseInt(width)); + log.debug("Found parameter " + PARAM_APPLET_WIDTH + "='{}'.", width); + } catch (NumberFormatException nfe) { + log.warn("Parameter " + PARAM_APPLET_WIDTH + + " does not contain a valid value.", nfe); + } + } + + // appletHeight + String height = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_HEIGHT), charset); + if (height != null && !height.isEmpty()) { + try { + // must be a valid integer + session.setAttribute(ATTR_APPLET_HEIGHT, Integer.parseInt(height)); + log.debug("Found parameter " + PARAM_APPLET_HEIGHT + "='{}'.", height); + } catch (NumberFormatException nfe) { + log.warn("Parameter " + PARAM_APPLET_HEIGHT + + " does not contain a valid value.", nfe); + } + } + + // appletBackground + String background = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_BACKGROUND), charset); + if (background != null && !background.isEmpty()) { + session.setAttribute(ATTR_APPLET_BACKGROUND, background); + try { + // must be a valid http or https URL + URI backgroundURL = new URI(background); + if ("http".equals(backgroundURL.getScheme()) + || "https".equals(backgroundURL.getScheme())) { + session.setAttribute(ATTR_APPLET_BACKGROUND, backgroundURL + .toASCIIString()); + log.debug("Found parameter " + PARAM_APPLET_BACKGROUND + "='{}'.", + backgroundURL.toASCIIString()); + } else { + log.warn("Parameter " + PARAM_APPLET_BACKGROUND + + "='{}' is not a valid http/https URL.", background); + } + } catch (URISyntaxException e) { + log.warn("Parameter " + PARAM_APPLET_BACKGROUND + + "='{}' is not a valid http/https URL.", background, e); + } + } + + // appletBackgroundColor + String backgroundColor = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_BACKGROUND_COLOR), charset); + if (backgroundColor != null && !backgroundColor.isEmpty()) { + // must be a valid color definition + if (PATTERM_APPLET_BACKGROUND_COLOR.matcher(backgroundColor).matches()) { + session.setAttribute(ATTR_APPLET_BACKGROUND_COLOR, backgroundColor); + log.debug("Faund parameter " + PARAM_APPLET_BACKGROUND_COLOR + + "='{}'.", backgroundColor); + } else { + log.warn("Parameter " + PARAM_APPLET_BACKGROUND_COLOR + + "='{}' is not a valid color definition " + + "(must be of form '#hhhhhh').", backgroundColor); + } + } + + // appletGuiStyle + String guiStyle = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_GUI_STYLE), charset); + if (guiStyle != null && !guiStyle.isEmpty()) { + // must be one of VALUES_APPLET_GUI_STYLE + String style = guiStyle.toLowerCase(); + if (Arrays.asList(VALUES_APPLET_GUI_STYLE).contains(style)) { + session.setAttribute(ATTR_APPLET_GUI_STYLE, style); + log.debug("Found parameter " + PARAM_APPLET_GUI_STYLE + "='{}'.", style); + } else { + StringBuilder sb = new StringBuilder(); + sb.append("Parameter ").append(PARAM_APPLET_GUI_STYLE).append( + "='").append(guiStyle).append("' is not valid (must be one of ") + .append(Arrays.toString(VALUES_APPLET_GUI_STYLE)).append(")."); + log.warn(sb.toString()); + } + } + + // appletExtension + String extension = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_EXTENSION), charset); + if (extension != null && !extension.isEmpty()) { + // must be one of VALUES_APPLET_EXTENSION + String ext = extension.toLowerCase(); + if (Arrays.asList(VALUES_APPLET_EXTENSION).contains(ext)) { + session.setAttribute(ATTR_APPLET_EXTENSION, ext); + log.debug("Found parameter " + PARAM_APPLET_EXTENSION + "='{}'.", ext); + } else { + StringBuilder sb = new StringBuilder(); + sb.append("Parameter ").append(PARAM_APPLET_EXTENSION).append( + "='").append(extension).append("' is not valid (must be one of ") + .append(Arrays.toString(VALUES_APPLET_EXTENSION)).append(")."); + log.warn(sb.toString()); + } + } + + // locale + String localeFormParam = getStringFromStream(bindingProcessor + .getFormData(PARAM_LOCALE), charset); + if (localeFormParam != null && !localeFormParam.isEmpty()) { + // must be a valid locale + if (PATTERN_LOCALE.matcher(localeFormParam).matches()) { + locale = new Locale(localeFormParam); + log.debug("Override accept-language header locale {} " + + "with form param {}.", locale, localeFormParam); + } else { + log.warn("Parameter " + PARAM_LOCALE + + "='{}' is not a valid locale definition.", localeFormParam); + } + } + if (locale != null) { + log.debug("Using locale {}.", locale); + session.setAttribute(ATTR_LOCALE, locale.toString()); + } + + beforeAppletPage(req, bindingProcessor); + + String appletPage = getStringFromStream(bindingProcessor + .getFormData(APPLET_PAGE_P), charset); + if (appletPage == null || appletPage.isEmpty()) { + appletPage = APPLET_PAGE_DEFAULT; + } + log.debug("Sending redirect to UI page '{}'.", appletPage); + resp.sendRedirect(appletPage); + + } finally { + MDC.remove("id"); + } + } + + @Override + protected void doGet(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, java.io.IOException { + doPost(req, resp); + } + + /** + * Called before the request is forwarded or redirected to the Applet page. + * + * @param req + * @param bindingProcessor + */ + protected void beforeAppletPage(HttpServletRequest req, + HTTPBindingProcessor bindingProcessor) { + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java index 24938cd5..9e455621 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java @@ -24,8 +24,8 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * prevent applet caching, @@ -35,7 +35,9 @@ import org.apache.commons.logging.LogFactory; */ public class AppletDispatcher extends HttpServlet { - protected final static Log log = LogFactory.getLog(AppletDispatcher.class); + private static final long serialVersionUID = 1L; + + private final Logger log = LoggerFactory.getLogger(AppletDispatcher.class); public static final String DISPATCH_CTX = "dispatch/"; public static final String RAND_PREFIX = "__"; @@ -65,10 +67,7 @@ public class AppletDispatcher extends HttpServlet { uri = archivePattern.matcher(uri).replaceAll(".jar"); // log.trace("removing random suffix " + uri); - if (log.isTraceEnabled()) { - log.trace("dispatching request URI " + request.getRequestURI() + - " to " + uri); - } + log.trace("Dispatching request URI {} to {}.", request.getRequestURI(), uri); RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(uri); dispatcher.forward(request, response); diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java index 7dfec211..d42f911c 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java @@ -16,302 +16,37 @@ */ package at.gv.egiz.bku.online.webapp; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.net.MalformedURLException; -import java.net.URI; -import java.net.URISyntaxException; -import java.net.URL; -import java.net.URLEncoder; -import java.util.Arrays; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.Locale; -import java.util.Map; -import java.util.regex.Pattern; - -import javax.servlet.RequestDispatcher; -import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; -import at.gv.egiz.bku.binding.BindingProcessor; import at.gv.egiz.bku.binding.HTTPBindingProcessor; -import at.gv.egiz.bku.binding.HttpUtil; -import at.gv.egiz.bku.binding.IdFactory; -import at.gv.egiz.bku.utils.StreamUtil; -import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage; +import at.gv.egiz.bku.binding.HTTPBindingProcessorImpl; /** * Handles SL requests and instantiates BindingProcessors * */ -public class BKURequestHandler extends SpringBKUServlet { - - private static final long serialVersionUID = 1L; - - public static final String APPLET_PAGE_P = "appletPage"; - public static final String APPLET_PAGE_DEFAULT = "BKUApplet"; - - public static final String PARAM_APPLET_WIDTH = "appletWidth"; - public static final String ATTR_APPLET_WIDTH = "appletWidth"; - - public static final String PARAM_APPLET_HEIGHT = "appletHeight"; - public static final String ATTR_APPLET_HEIGHT = "appletHeight"; +public class BKURequestHandler extends AbstractWebRequestHandler { - public static final String PARAM_APPLET_BACKGROUND = "appletBackground"; - public static final String ATTR_APPLET_BACKGROUND = "appletBackground"; - - public static final String PARAM_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; - public static final String ATTR_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; - public static final Pattern PATTERM_APPLET_BACKGROUND_COLOR = Pattern.compile("\\#[0-9a-fA-F]{6}"); - - public static final String PARAM_APPLET_GUI_STYLE = "appletGuiStyle"; - public static final String ATTR_APPLET_GUI_STYLE = "appletGuiStyle"; - public static final String[] VALUES_APPLET_GUI_STYLE = new String[] {"tiny", "simple", "advanced"}; + private static final long serialVersionUID = 1L; - public static final String PARAM_APPLET_EXTENSION = "appletExtension"; - public static final String ATTR_APPLET_EXTENSION = "appletExtension"; - public static final String[] VALUES_APPLET_EXTENSION = new String[] {"pin", "activation"}; + private final Logger log = LoggerFactory.getLogger(BKURequestHandler.class); - public static final String PARAM_LOCALE = "locale"; - public static final String ATTR_LOCALE = "locale"; - public static final Pattern PATTERN_LOCALE = Pattern.compile("[a-zA-Z][a-zA-Z](_[a-zA-Z][a-zA-Z]){0,2}"); - - public final static String REDIRECT_URL_SESSION_ATTRIBUTE = "redirectUrl"; - - protected Log log = LogFactory.getLog(BKURequestHandler.class); - - private static String getStringFromStream(InputStream is, String encoding) - throws IOException { - if (is == null) { - return null; - } - if (encoding == null) { - encoding = HttpUtil.DEFAULT_CHARSET; - } - ByteArrayOutputStream os = new ByteArrayOutputStream(); - StreamUtil.copyStream(is, os); - return new String(os.toByteArray(), encoding); - } - @Override - protected void doPost(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, java.io.IOException { - log.debug("Received SecurityLayer request"); - - HttpSession session = req.getSession(false); - if (session != null) { - log.warn("Already a session with id: " + session.getId() - + " active, trying to get Bindingprocessor"); - BindingProcessor bp = getBindingProcessorManager().getBindingProcessor( - IdFactory.getInstance().createId(session.getId())); - if (bp != null) { - log.debug("Found binding processor, using this one"); - String appletPage = getStringFromStream( - ((HTTPBindingProcessor) bp).getFormData(APPLET_PAGE_P), - req.getCharacterEncoding()); - getDispatcher(appletPage).forward(req, resp); - return; - } - log.debug("Did not find a binding processor, creating new ..."); - } - session = req.getSession(true); - if (log.isDebugEnabled()) { - log.debug("Using session id: " + session.getId()); - } - - String acceptLanguage = req.getHeader("Accept-Language"); - Locale locale = AcceptLanguage.getLocale(acceptLanguage); - log.debug("Accept-Language locale: " + locale); - - HTTPBindingProcessor bindingProcessor; - bindingProcessor = (HTTPBindingProcessor) getBindingProcessorManager() - .createBindingProcessor(req.getRequestURL().toString(), - session.getId(), locale); - - Map headerMap = new HashMap(); - for (Enumeration headerName = req.getHeaderNames(); headerName - .hasMoreElements();) { - String header = headerName.nextElement(); - if (header != null) { - headerMap.put(header, req.getHeader(header)); - } - } - String charset = req.getCharacterEncoding(); - String contentType = req.getContentType(); - if (charset != null) { - contentType += ";" + charset; - } - headerMap.put(HttpUtil.HTTP_HEADER_CONTENT_TYPE, contentType); - bindingProcessor.setHTTPHeaders(headerMap); - bindingProcessor.consumeRequestStream(req.getInputStream()); - req.getInputStream().close(); - getBindingProcessorManager().process(bindingProcessor); - - log.trace("Trying to find applet parameters in request"); - - // appletWidth - String width = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_WIDTH), charset); - if (width != null) { - try { - // must be a valid integer - session.setAttribute(ATTR_APPLET_WIDTH, Integer.parseInt(width)); - log.trace("Found parameter " + PARAM_APPLET_WIDTH + "='" + width +"'."); - } catch (NumberFormatException nfe) { - log.warn("Applet parameter " + PARAM_APPLET_WIDTH + - " does not contain a valid value.", nfe); - } - } - - // appletHeight - String height = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_HEIGHT), charset); - if (height != null) { - try { - // must be a valid integer - session.setAttribute(ATTR_APPLET_HEIGHT, Integer.parseInt(height)); - log.trace("Found parameter " + PARAM_APPLET_HEIGHT + "='" + height + "'."); - } catch (NumberFormatException nfe) { - log.warn("Applet parameter " + PARAM_APPLET_HEIGHT + - " does not contain a valid value.", nfe); - } - } - - // appletBackground - String background = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_BACKGROUND), charset); - if (background != null) { - session.setAttribute(ATTR_APPLET_BACKGROUND, background); - try { - // must be a valid http or https URL - URI backgroundURL = new URI(background); - if ("http".equals(backgroundURL.getScheme()) - || "https".equals(backgroundURL.getScheme())) { - session.setAttribute(ATTR_APPLET_BACKGROUND, backgroundURL.toASCIIString()); - log.trace("Found parameter " + PARAM_APPLET_BACKGROUND + "='" - + backgroundURL.toASCIIString() + "'."); - } else { - log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='" - + background + "' is not a valid http/https URL."); - } - } catch (URISyntaxException e) { - log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='" - + background + "' is not a valid http/https URL.", e); - } - } - - // appletBackgroundColor - String backgroundColor = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_BACKGROUND_COLOR), charset); - if (backgroundColor != null) { - // must be a valid color definition - if (PATTERM_APPLET_BACKGROUND_COLOR.matcher(backgroundColor).matches()) { - session.setAttribute(ATTR_APPLET_BACKGROUND_COLOR, backgroundColor); - log.trace("Faund parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='" - + backgroundColor + "'."); - } else { - log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='" - + backgroundColor + "' is not a valid color definition (must be of form '#hhhhhh')."); - } - } - - // appletGuiStyle - String guiStyle = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_GUI_STYLE), charset); - if (guiStyle != null) { - // must be one of VALUES_APPLET_GUI_STYLE - String style = guiStyle.toLowerCase(); - if (Arrays.asList(VALUES_APPLET_GUI_STYLE).contains(style)) { - session.setAttribute(ATTR_APPLET_GUI_STYLE, style); - log.trace("Found parameter " + PARAM_APPLET_GUI_STYLE + "='" - + style + "'."); - } else { - StringBuilder sb = new StringBuilder(); - sb.append("Applet parameter ").append(PARAM_APPLET_GUI_STYLE).append( - "='").append(guiStyle).append("' is not valid (must be one of ") - .append(Arrays.toString(VALUES_APPLET_GUI_STYLE)).append(")."); - log.warn(sb); - } - } - - // appletExtension - String extension = getStringFromStream(bindingProcessor - .getFormData(PARAM_APPLET_EXTENSION), charset); - if (extension != null) { - // must be one of VALUES_APPLET_EXTENSION - String ext = extension.toLowerCase(); - if (Arrays.asList(VALUES_APPLET_EXTENSION).contains(ext)) { - session.setAttribute(ATTR_APPLET_EXTENSION, ext); - log.trace("Found parameter " + PARAM_APPLET_EXTENSION + "='" - + ext + "'."); - } else { - StringBuilder sb = new StringBuilder(); - sb.append("Applet parameter ").append(PARAM_APPLET_EXTENSION).append( - "='").append(extension).append("' is not valid (must be one of ") - .append(Arrays.toString(VALUES_APPLET_EXTENSION)).append(")."); - log.warn(sb); - } - } - - // locale - String localeFormParam = getStringFromStream(bindingProcessor - .getFormData(PARAM_LOCALE), charset); - if (localeFormParam != null) { - // must be a valid locale - if (PATTERN_LOCALE.matcher(localeFormParam).matches()) { - locale = new Locale(localeFormParam); - log.debug("Overrule accept-language header locale " + locale - + " with form param " + localeFormParam + "."); - } else { - log.warn("Parameter " + PARAM_LOCALE + "='" + localeFormParam - + "' is not a valid locale definition."); - } - } - if (locale != null) { - log.debug("Using locale " + locale); - session.setAttribute(ATTR_LOCALE, locale.toString()); - } - + protected void beforeAppletPage(HttpServletRequest req, HTTPBindingProcessor bindingProcessor) { // handle server side redirect url after processing - String redirectUrl = bindingProcessor.getRedirectURL(); + String redirectUrl = ((HTTPBindingProcessorImpl) bindingProcessor).getRedirectURL(); if ( redirectUrl != null) { - log.info("Got redirect URL "+redirectUrl+". Deferring browser redirect."); - session.setAttribute(REDIRECT_URL_SESSION_ATTRIBUTE, redirectUrl); + log.info("Got redirect URL '{}'. Deferring browser redirect.", redirectUrl); + req.getSession().setAttribute(REDIRECT_URL_SESSION_ATTRIBUTE, redirectUrl); } - - String appletPage = getStringFromStream(bindingProcessor - .getFormData(APPLET_PAGE_P), charset); - getDispatcher(appletPage).forward(req, resp); } @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, java.io.IOException { - doPost(req, resp); - } - - private RequestDispatcher getDispatcher(String appletPage) { - RequestDispatcher dispatcher = null; - if (appletPage != null) { - log.trace("requested appletPage " + appletPage); - dispatcher = getServletContext().getNamedDispatcher(appletPage); - } - if (dispatcher == null) { - log.debug("no appletPage requested or appletPage not configured, using default"); - appletPage = APPLET_PAGE_DEFAULT; - dispatcher = getServletContext().getNamedDispatcher(appletPage); - } -// session.setAttribute(APPLET_PAGE_P, appletPage); - log.debug("forward to applet " + appletPage); - - return dispatcher; + protected String getRequestProtocol(HttpServletRequest req) { + return "HTTP"; } } diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java new file mode 100644 index 00000000..8d65c92e --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java @@ -0,0 +1,128 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.online.webapp; + +import iaik.security.ecc.provider.ECCProvider; +import iaik.security.provider.IAIK; +import iaik.xml.crypto.XSecProvider; + +import java.security.Provider; +import java.security.Security; +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.ServletContext; +import javax.servlet.ServletContextEvent; +import javax.servlet.ServletContextListener; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class MoccaContextListener implements ServletContextListener { + + public static final String DISABLE_SECURITY_PROVIDER_REGISTRATION = "disableSecurityProviderRegistration"; + + private Logger log = LoggerFactory.getLogger(MoccaContextListener.class); + + private final List selfRegisteredProviders = new ArrayList(); + + @Override + public void contextDestroyed(ServletContextEvent sce) { + log.info("Deregistering self registered security providers."); + + for (Provider provider : selfRegisteredProviders) { + Security.removeProvider(provider.getName()); + } + selfRegisteredProviders.clear(); + + } + + @Override + public void contextInitialized(ServletContextEvent sce) { + + ServletContext servletContext = sce.getServletContext(); + if (!Boolean.parseBoolean(servletContext.getInitParameter(DISABLE_SECURITY_PROVIDER_REGISTRATION))) { + log.info("Looking for required and registered security providers ..."); + + registerProviders(); + + if (!selfRegisteredProviders.isEmpty()) { + log.warn("Security providers have been registered. " + + "This may affect other contexts in the same container!"); + } + + if (log.isDebugEnabled()) { + StringBuilder sb = new StringBuilder(); + sb.append("Registered providers: "); + int i = 1; + for (Provider prov : Security.getProviders()) { + sb.append("\n" + (i++) + ". : " + prov); + } + log.debug(sb.toString()); + } + } + + + } + + + protected void registerProvider(Provider provider, int position) { + String name = provider.getName(); + if (Security.getProvider(name) == null) { + // register IAIK provider at first position + try { + if (position > 0) { + position = Security.insertProviderAt(provider, position); + } else { + position = Security.addProvider(provider); + } + log.info("Required security Provider {} was not yet registered. " + + "Now registered at position {}.", name, position); + selfRegisteredProviders.add(provider); + } catch (SecurityException e) { + log.info("Failed to register required security Provider.", e); + } + } else { + log.info("Required security Provider {} already registered.", name); + } + + } + + protected void registerProviders() { + + registerProvider(new IAIK(), 1); + registerProvider(new ECCProvider(false), 2); + + final String name = XSecProvider.NAME; + if (Security.getProvider(XSecProvider.NAME) == null) { + // register XML Security provider + try { + XSecProvider.addAsProvider(false); + log.info("Required security Provider {} was not yet registered. " + + "Now registered.", name); + selfRegisteredProviders.add(Security.getProvider(name)); + } catch (SecurityException e) { + log.info("Failed to register required security Provider.", e); + } + } else { + log.info("Required security Provider {} already registered.", name); + } + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java index 5ffe2399..5fd01775 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java @@ -25,13 +25,14 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.slf4j.MDC; +import at.gv.egiz.bku.binding.BindingProcessor; import at.gv.egiz.bku.binding.HTTPBindingProcessor; -import at.gv.egiz.bku.binding.HttpUtil; +import at.gv.egiz.bku.binding.Id; import at.gv.egiz.bku.binding.IdFactory; -import at.gv.egiz.bku.conf.Configurator; import at.gv.egiz.bku.utils.NullOutputStream; /** @@ -40,7 +41,9 @@ import at.gv.egiz.bku.utils.NullOutputStream; */ public class ResultServlet extends SpringBKUServlet { - private final static Log log = LogFactory.getLog(ResultServlet.class); + private static final long serialVersionUID = 1L; + + private final Logger log = LoggerFactory.getLogger(ResultServlet.class); private String encoding = "UTF-8"; private String expiredPage = "./expiredError.jsp"; @@ -51,12 +54,12 @@ public class ResultServlet extends SpringBKUServlet { private void myInit() { String enc = getServletContext().getInitParameter("responseEncoding"); if (enc != null) { - log.debug("Init default encoding to: " + enc); + log.trace("Init default encoding to: {}.", enc); encoding = enc; } String expP = getServletConfig().getInitParameter("expiredPage"); if (expP != null) { - log.debug("Init expired page to: " + expP); + log.trace("Init expired page to: {}.", expP); expiredPage = expP; } } @@ -80,75 +83,65 @@ public class ResultServlet extends SpringBKUServlet { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, java.io.IOException { - String version = configurator.getProperty(Configurator.SIGNATURE_LAYOUT); - if ((version != null) && (!"".equals(version.trim()))) { - log.debug("setting SignatureLayout header to " + version); - resp.setHeader(Configurator.SIGNATURE_LAYOUT, version); - } else { - log.debug("do not set SignatureLayout header"); - } - - if (configurator.getProperty(Configurator.USERAGENT_CONFIG_P) != null) { - resp.setHeader(HttpUtil.HTTP_HEADER_SERVER, configurator - .getProperty(Configurator.USERAGENT_CONFIG_P)); - } else { - resp.setHeader(HttpUtil.HTTP_HEADER_SERVER, - Configurator.USERAGENT_DEFAULT); - } HttpSession session = req.getSession(false); if (session == null) { resp.sendRedirect(expiredPage); return; } - String sessionId = session.getId(); - if (sessionId == null) { - resp.sendRedirect(expiredPage); - return; - } - log.debug("Got a result request for session: " + sessionId); - HTTPBindingProcessor bp = (HTTPBindingProcessor) getBindingProcessorManager() - .getBindingProcessor(IdFactory.getInstance().createId(sessionId)); - if (bp == null) { + + Id id = IdFactory.getInstance().createId(session.getId()); + + HTTPBindingProcessor bp; + BindingProcessor bindingProcessor = getBindingProcessorManager().getBindingProcessor(id); + if (bindingProcessor instanceof HTTPBindingProcessor) { + bp = (HTTPBindingProcessor) bindingProcessor; + } else { session.invalidate(); resp.sendRedirect(expiredPage); return; } - String redirectUrl = (String) session - .getAttribute(BKURequestHandler.REDIRECT_URL_SESSION_ATTRIBUTE); - if (redirectUrl == null) { - redirectUrl = bp.getRedirectURL(); - } - if (redirectUrl != null) { - try { - bp.writeResultTo(new NullOutputStream(), encoding); - getBindingProcessorManager().removeBindingProcessor(bp.getId()); - } finally { - log.info("Executing deferred browser redirect to: " + redirectUrl); - resp.sendRedirect(redirectUrl); - session.invalidate(); + MDC.put("id", id.toString()); + + try { + String redirectUrl = (String) session + .getAttribute(AbstractWebRequestHandler.REDIRECT_URL_SESSION_ATTRIBUTE); + if (redirectUrl == null) { + redirectUrl = bp.getRedirectURL(); } - return; - } - - log.trace("setting response code: " + bp.getResponseCode()); - resp.setStatus(bp.getResponseCode()); - resp.setHeader("Cache-Control", "no-store"); // HTTP 1.1 - resp.setHeader("Pragma", "no-cache"); // HTTP 1.0 - resp.setDateHeader("Expires", 0); - for (Iterator it = bp.getResponseHeaders().keySet().iterator(); it - .hasNext();) { - String header = it.next(); - if (log.isTraceEnabled()) { - log.trace("setting response header " + header + ": " + bp.getResponseHeaders().get(header)); + if (redirectUrl != null) { + try { + bp.writeResultTo(new NullOutputStream(), encoding); + getBindingProcessorManager().removeBindingProcessor(bp.getId()); + } finally { + log.info("Sending deferred redirect, RedirectURL={}.", redirectUrl); + resp.sendRedirect(redirectUrl); + session.invalidate(); + } + return; + } + + log.trace("Setting response code: {}.", bp.getResponseCode()); + resp.setStatus(bp.getResponseCode()); + resp.setHeader("Cache-Control", "no-store"); // HTTP 1.1 + resp.setHeader("Pragma", "no-cache"); // HTTP 1.0 + resp.setDateHeader("Expires", 0); + for (Iterator it = bp.getResponseHeaders().keySet().iterator(); it + .hasNext();) { + String header = it.next(); + log.trace("Setting response header {}: {}.", header, bp.getResponseHeaders().get(header)); + resp.setHeader(header, bp.getResponseHeaders().get(header)); } - resp.setHeader(header, bp.getResponseHeaders().get(header)); + resp.setContentType(bp.getResultContentType()); + resp.setCharacterEncoding(encoding); + log.info("Sending result."); + bp.writeResultTo(resp.getOutputStream(), encoding); + resp.getOutputStream().flush(); + session.invalidate(); + getBindingProcessorManager().removeBindingProcessor(bp.getId()); + + } finally { + MDC.remove("id"); } - resp.setContentType(bp.getResultContentType()); - resp.setCharacterEncoding(encoding); - bp.writeResultTo(resp.getOutputStream(), encoding); - resp.getOutputStream().flush(); - session.invalidate(); - getBindingProcessorManager().removeBindingProcessor(bp.getId()); } } diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionListener.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionListener.java new file mode 100644 index 00000000..1bec31b6 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionListener.java @@ -0,0 +1,47 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ +package at.gv.egiz.bku.online.webapp; + +import javax.servlet.http.HttpSessionEvent; +import javax.servlet.http.HttpSessionListener; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.bku.binding.BindingProcessorManager; +import at.gv.egiz.bku.binding.IdFactory; + +/** + * Session listener to trigger the removal of the BindingProcessor + * + */ +public class SessionListener implements HttpSessionListener { + + private final Logger log = LoggerFactory.getLogger(SessionListener.class); + + @Override + public void sessionCreated(HttpSessionEvent event) { + } + + @Override + public void sessionDestroyed(HttpSessionEvent event) { + BindingProcessorManager manager = (BindingProcessorManager) event.getSession().getServletContext().getAttribute(SpringBKUServlet.BEAN_NAME); + manager.removeBindingProcessor(IdFactory.getInstance().createId(event.getSession().getId())); + log.info("Session {} destroyed.", event.getSession().getId()); + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionTimeout.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionTimeout.java deleted file mode 100644 index 2b56166c..00000000 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionTimeout.java +++ /dev/null @@ -1,49 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.online.webapp; - -import javax.servlet.http.HttpSessionEvent; -import javax.servlet.http.HttpSessionListener; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import at.gv.egiz.bku.binding.BindingProcessorManager; -import at.gv.egiz.bku.binding.IdFactory; - -/** - * Session listener to trigger the removal of the BindingProcessor - * - */ -public class SessionTimeout implements HttpSessionListener { - - private static Log log = LogFactory.getLog(SessionTimeout.class); - - @Override - public void sessionCreated(HttpSessionEvent arg0) { - // TODO Auto-generated method stub - - } - - @Override - public void sessionDestroyed(HttpSessionEvent event) { - BindingProcessorManager manager = (BindingProcessorManager) event.getSession().getServletContext().getAttribute(SpringBKUServlet.BEAN_NAME); - log.info("Removing session: "+event.getSession().getId()); - manager.removeBindingProcessor(IdFactory.getInstance().createId(event.getSession().getId())); - } - -} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java index 741b5e32..39d7368d 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java @@ -1,48 +1,48 @@ -/* - * Copyright 2008 Federal Chancellery Austria and - * Graz University of Technology - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package at.gv.egiz.bku.online.webapp; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.springframework.context.ApplicationEvent; -import org.springframework.context.ApplicationListener; -import org.springframework.context.event.ContextClosedEvent; - -import at.gv.egiz.bku.binding.BindingProcessorManager; - -public class ShutdownHandler implements ApplicationListener { - - private static Log log = LogFactory.getLog(ShutdownHandler.class); - - private BindingProcessorManager bindingProcessorManager; - - public void setBindingProcessorManager( - BindingProcessorManager bindingProcessorManager) { - this.bindingProcessorManager = bindingProcessorManager; - } - - @Override - public void onApplicationEvent(ApplicationEvent event) { - if (event instanceof ContextClosedEvent) { - log.info("Shutting down BKU"); - bindingProcessorManager.shutdownNow(); - } - - } - -} +/* + * Copyright 2008 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package at.gv.egiz.bku.online.webapp; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.context.ApplicationEvent; +import org.springframework.context.ApplicationListener; +import org.springframework.context.event.ContextClosedEvent; + +import at.gv.egiz.bku.binding.BindingProcessorManager; + +public class ShutdownHandler implements ApplicationListener { + + private final Logger log = LoggerFactory.getLogger(ShutdownHandler.class); + + private BindingProcessorManager bindingProcessorManager; + + public void setBindingProcessorManager( + BindingProcessorManager bindingProcessorManager) { + this.bindingProcessorManager = bindingProcessorManager; + } + + @Override + public void onApplicationEvent(ApplicationEvent event) { + if (event instanceof ContextClosedEvent) { + log.info("Shutting down MOCCA."); + bindingProcessorManager.shutdownNow(); + } + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java index 2c6f522e..6a6f11e8 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java @@ -19,19 +19,15 @@ package at.gv.egiz.bku.online.webapp; import javax.servlet.http.HttpServlet; import at.gv.egiz.bku.binding.BindingProcessorManager; -import at.gv.egiz.bku.conf.Configurator; public abstract class SpringBKUServlet extends HttpServlet { + private static final long serialVersionUID = 1L; + public final static String BEAN_NAME="bindingProcessorManager"; - protected static Configurator configurator; - protected BindingProcessorManager getBindingProcessorManager() { return (BindingProcessorManager) getServletContext().getAttribute(BEAN_NAME); } - public static void setConfigurator(Configurator conf) { - configurator = conf; - } } diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java new file mode 100644 index 00000000..897ec227 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java @@ -0,0 +1,123 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.util.Collections; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.bku.binding.AbstractBindingProcessor; +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slcommands.SLCommandContext; +import at.gv.egiz.bku.slcommands.SLResult; +import at.gv.egiz.bku.slexceptions.SLCommandException; +import at.gv.egiz.bku.slexceptions.SLException; +import at.gv.egiz.stal.QuitRequest; + +public abstract class AbstractCommandSequenceBindingProcessor extends AbstractBindingProcessor { + + protected static Logger log = LoggerFactory.getLogger(AbstractCommandSequenceBindingProcessor.class); + + /** + * @return the error + */ + protected Exception getError() { + return error; + } + + /** + * @param error the error to set + */ + protected void setError(Exception error) { + this.error = error; + } + + private Exception error; + + private SLCommandBrocker commandBrocker = new SLCommandBrocker(); + + /** + * External processing? + */ + private boolean external; + + /** + * Constructs a new instance of this IdBindingProcessorImpl with + * the given ID. + */ + public AbstractCommandSequenceBindingProcessor() { + super(); + } + + /** + * @return the external + */ + public boolean isExternal() { + return external; + } + + /** + * @param external the external to set + */ + public void setExternal(boolean external) { + this.external = external; + } + + protected abstract SLCommand getNextCommand(); + + protected abstract void processResult(SLResult result); + + @Override + public synchronized void process() { + + try { + + SLCommand command; + do { + command = getNextCommand(); + SLCommandContext context = new SLCommandContext(getSTAL(), getUrlDereferencer(), locale); + SLResult result = null; + if (external) { + result = commandBrocker.execute(command, context, 3 * 60 * 1000); + } else { + if (command != null) { + result = command.execute(context); + } else { + stal.handleRequest(Collections.singletonList(new QuitRequest())); + } + } + if (result != null) { + processResult(result); + } + } while (command != null); + + } catch (InterruptedException e) { + setError(new SLException(6000)); + } catch (Exception e) { + log.info("BindingProcessor error.", e); + setError(e); + } + + } + + public SLCommand setExternalResult(SLResult slResult) throws SLCommandException, InterruptedException { + return commandBrocker.nextCommand(slResult, 3 * 60 * 1000); + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java new file mode 100644 index 00000000..b40fd35f --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java @@ -0,0 +1,225 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Iterator; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.XMLConstants; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Marshaller; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egiz.bku.binding.BindingProcessor; +import at.gv.egiz.bku.binding.FormParameter; +import at.gv.egiz.bku.binding.IdFactory; +import at.gv.egiz.bku.binding.InputDecoder; +import at.gv.egiz.bku.binding.InputDecoderFactory; +import at.gv.egiz.bku.online.webapp.SpringBKUServlet; +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slcommands.SLMarshallerFactory; +import at.gv.egiz.bku.slcommands.SLResult; +import at.gv.egiz.bku.slcommands.impl.DomCreateXMLSignatureResultImpl; +import at.gv.egiz.bku.slcommands.impl.DomErrorResultImpl; +import at.gv.egiz.bku.slcommands.impl.DomInfoboxReadResultImpl; +import at.gv.egiz.bku.slcommands.impl.ErrorResultImpl; +import at.gv.egiz.bku.slcommands.impl.SLCommandImpl; +import at.gv.egiz.bku.slexceptions.SLCommandException; +import at.gv.egiz.bku.utils.DebugInputStream; +import at.gv.egiz.bku.utils.StreamUtil; +import at.gv.egiz.slbinding.SLUnmarshaller; + +public class DataURLServerServlet extends SpringBKUServlet { + + private static Logger log = LoggerFactory.getLogger(DataURLServerServlet.class); + + /** + * + */ + private static final long serialVersionUID = 1L; + + /* (non-Javadoc) + * @see javax.servlet.http.HttpServlet#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + protected void doPost(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + + String userAgent = req.getHeader("User-Agent"); + String contentType = req.getContentType(); + log.debug("Content-Type: " + contentType + " User-Agent: " + userAgent); + + InputDecoder dec = InputDecoderFactory.getDecoder(contentType, req.getInputStream()); + + String sessionId = null; + Element respElement = null; + + Iterator formParams = dec.getFormParameterIterator(); + while(formParams.hasNext()) { + FormParameter parameter = formParams.next(); + String name = parameter.getFormParameterName(); + if ("SessionID_".equals(name)) { + sessionId = StreamUtil.asString(parameter.getFormParameterValue(), "UTF-8"); + log.debug("SessionID: {}", sessionId); + } else if ("ResponseType".equals(name)) { + String parameterContentType = parameter.getFormParameterContentType(); + if (log.isDebugEnabled()) { + log.debug("ResponseType: ({}) {}.", parameterContentType, StreamUtil.asString(parameter.getFormParameterValue(), "UTF-8")); + } + } else if ("XMLResponse".equals(name)) { + InputStream inputStream = parameter.getFormParameterValue(); + + DebugInputStream di = null; + if (log.isDebugEnabled()) { + di = new DebugInputStream(inputStream); + inputStream = di; + } + + SLUnmarshaller slUnmarshaller = new SLUnmarshaller(); + + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setNamespaceAware(true); + dbf.setSchema(slUnmarshaller.getSlSchema()); + try { + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + log.warn("Failed to enable secure processing.", e); + } + + // http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization + try { + dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE); + } catch (IllegalArgumentException e) { + log.warn("Failed to disable schema normalization " + + "(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e); + } + + DocumentBuilder documentBuilder; + try { + documentBuilder = dbf.newDocumentBuilder(); + } catch (ParserConfigurationException e) { + log.error("Failed to create parser for Security Layer response." , e); + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + return; + } + + try { + Document doc = documentBuilder.parse(inputStream); + respElement = doc.getDocumentElement(); + } catch (SAXException e) { + log.info("Failed to parse Security Layer response.", e); + // TODO set error and redirect + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + return; + } + + if (di != null) { + log.debug("XMLResponse:\n{}", new String(di.getBufferedBytes(), "UTF-8")); + } + + } + + } + + SAMLBindingProcessorImpl bindingProcessor = null; + if (sessionId != null) { + bindingProcessor = getBindingProcessor(sessionId); + } + + if (bindingProcessor != null && respElement != null) { + + SLResult slResult = null; + if ("http://www.buergerkarte.at/namespaces/securitylayer/1.2#".equals(respElement.getNamespaceURI())) { + if ("NullOperationResponse".equals(respElement.getLocalName())) { + slResult = null; + } else if ("InfoboxReadResponse".equals(respElement.getLocalName())) { + slResult = new DomInfoboxReadResultImpl(respElement); + } else if ("CreateXMLSignatureResponse".equals(respElement.getLocalName())) { + slResult = new DomCreateXMLSignatureResultImpl(respElement); + } else if ("ErrorResponse".equals(respElement.getLocalName())) { + slResult = new DomErrorResultImpl(respElement); + } else { + // TODO: report proper error + at.gv.egiz.bku.slexceptions.SLException slException = new at.gv.egiz.bku.slexceptions.SLException(0); + slResult = new ErrorResultImpl(slException, null); + } + + } + + SLCommand slCommand = null; + try { + slCommand = bindingProcessor.setExternalResult(slResult); + } catch (SLCommandException e) { + log.debug(e.getMessage()); + } catch (InterruptedException e) { + // interrupted + } + + if (slCommand instanceof SLCommandImpl) { + JAXBElement request = ((SLCommandImpl) slCommand).getRequest(); + Marshaller marshaller = SLMarshallerFactory.getInstance().createMarshaller(false, false); + try { + + resp.setCharacterEncoding("UTF-8"); + resp.setContentType("text/xml"); + + marshaller.marshal(request, resp.getOutputStream()); + + return; + + } catch (JAXBException e) { + log.error("Failed to marshall Security Layer request.", e); + } + + } + + } + + resp.sendRedirect("bkuResult"); + + } + + protected SAMLBindingProcessorImpl getBindingProcessor(String sessionId) { + + BindingProcessor bp = getBindingProcessorManager().getBindingProcessor( + IdFactory.getInstance().createId(sessionId)); + + if (bp instanceof SAMLBindingProcessorImpl) { + log.debug("Found active BindingProcessor, using this one."); + return (SAMLBindingProcessorImpl) bp; + } + + return null; + + } + + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java new file mode 100644 index 00000000..fd4ef8e7 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java @@ -0,0 +1,346 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import iaik.xml.crypto.dom.DOMCryptoContext; +import iaik.xml.crypto.dsig.keyinfo.KeyValueType; + +import java.io.IOException; +import java.io.InputStream; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.text.ParseException; +import java.util.ArrayList; +import java.util.List; + +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.crypto.MarshalException; +import javax.xml.crypto.dom.DOMStructure; +import javax.xml.crypto.dsig.Manifest; +import javax.xml.crypto.dsig.Reference; +import javax.xml.crypto.dsig.XMLObject; +import javax.xml.crypto.dsig.XMLSignature; +import javax.xml.crypto.dsig.XMLSignatureException; +import javax.xml.crypto.dsig.XMLSignatureFactory; +import javax.xml.crypto.dsig.dom.DOMValidateContext; +import javax.xml.crypto.dsig.keyinfo.KeyInfo; +import javax.xml.crypto.dsig.keyinfo.X509Data; + +import oasis.names.tc.saml._1_0.assertion.AnyType; +import oasis.names.tc.saml._1_0.assertion.AssertionType; +import oasis.names.tc.saml._1_0.assertion.AttributeStatementType; +import oasis.names.tc.saml._1_0.assertion.AttributeType; +import oasis.names.tc.saml._1_0.assertion.StatementAbstractType; +import oasis.names.tc.saml._1_0.assertion.SubjectConfirmationType; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Element; +import org.w3c.dom.Node; + +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; +import at.gv.egiz.bku.utils.StreamUtil; + +public class IdLink { + + protected Logger log = LoggerFactory.getLogger(IdLink.class); + + /** + * The IdLink is backed by a DOM. + */ + protected Node node; + + /** + * The Assertion (root element) of the IdLink. + */ + protected AssertionType assertion; + + /** + * The citizen's asserted public keys. + */ + protected List citizenPublicKeys; + + /** + * The XMLSignature. + */ + protected XMLSignature signature; + + /** + * The assertion's signer certificate. + */ + protected X509Certificate signerCert; + + /** + * Is the assertion's signature manifest valid? + */ + protected Boolean manifestValid; + + /** + * Is the assertion's signature valid? + */ + protected Boolean signatureValid; + + /** + * The personal identifier + */ + protected IdLinkPersonData personData; + + public IdLink(Element node, AssertionType assertion) throws JAXBException { + this.node = node; + this.assertion = assertion; + } + + public PhysicalPersonType getPhysicalPerson() { + + AttributeStatementType attributeStatement = getAttributeStatement(); + if (attributeStatement != null) { + JAXBElement subjectConfirmation = attributeStatement.getSubject().getContent().get(0); + if (subjectConfirmation.getDeclaredType() == SubjectConfirmationType.class) { + Object data = ((SubjectConfirmationType) subjectConfirmation.getValue()) + .getSubjectConfirmationData().getContent().get(0); + if (data instanceof JAXBElement + && ((JAXBElement) data).getValue() instanceof PhysicalPersonType) { + return (PhysicalPersonType) ((JAXBElement) data).getValue(); + } + } + } + + return null; + } + + public AttributeStatementType getAttributeStatement() { + + StatementAbstractType statement = + assertion.getStatementOrSubjectStatementOrAuthenticationStatement().get(0); + + if (statement instanceof AttributeStatementType) { + return (AttributeStatementType) statement; + } + + return null; + + } + + public IdLinkPersonData getPersonData() throws MarshalException { + if (personData == null) { + try { + personData = new IdLinkPersonData(getPhysicalPerson()); + } catch (ParseException e) { + throw new MarshalException(e); + } + } + return personData; + } + + public List getCitizenPublicKeys() throws MarshalException { + if (citizenPublicKeys == null) { + + citizenPublicKeys = new ArrayList(); + + AttributeStatementType attributeStatement = getAttributeStatement(); + if (attributeStatement != null) { + List attributes = attributeStatement.getAttribute(); + for (AttributeType attribute : attributes) { + if ("urn:publicid:gv.at:namespaces:identitylink:1.2".equals(attribute.getAttributeNamespace()) + && "CitizenPublicKey".equals(attribute.getAttributeName())) { + List value = attribute.getAttributeValue(); + if (value.size() == 1 && value.get(0).getContent().size() == 1) { + Object object = value.get(0).getContent().get(0); + if (object instanceof Element) { + Element element = (Element) object; + DOMStructure structure = iaik.xml.crypto.dom.DOMStructure.getInstance(element, new DOMCryptoContext()); + if (structure instanceof KeyValueType) { + citizenPublicKeys.add(((KeyValueType) structure).getPublicKey()); + } + } + } + } + } + } + + } + return citizenPublicKeys; + } + + public XMLSignature getXMLSignature() throws MarshalException { + if (signature == null) { + + Node n = node.getLastChild(); + while (n != null && n.getNodeType() != Node.ELEMENT_NODE) { + n = n.getPreviousSibling(); + } + + if (n != null + && XMLSignature.XMLNS.equals(n.getNamespaceURI()) + && "Signature".equals(n.getLocalName())) { + + XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance(); + signature = signatureFactory.unmarshalXMLSignature(new DOMStructure(n)); + } + + + } + return signature; + } + + public X509Certificate getSignerCert() throws MarshalException { + if (signerCert == null) { + + if (getXMLSignature() != null) { + + KeyInfo keyInfo = signature.getKeyInfo(); + if (keyInfo != null) { + List content = keyInfo.getContent(); + for (Object data : content) { + if (data instanceof X509Data) { + List x509Data = ((X509Data) data).getContent(); + for (Object object : x509Data) { + if (object instanceof X509Certificate) { + signerCert = (X509Certificate) object; + return signerCert; + } + } + } + } + } + } + } + return signerCert; + } + + + @SuppressWarnings("unchecked") + public boolean verifySignature() throws MarshalException, XMLSignatureException { + if (signatureValid == null) { + if (getXMLSignature() != null && getSignerCert() != null) { + + DOMValidateContext validateContext = new DOMValidateContext(signerCert.getPublicKey(), node); + validateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE); + + signatureValid = signature.validate(validateContext); + + // logging + if (!signatureValid && log.isTraceEnabled()) { + List references = signature.getSignedInfo().getReferences(); + for (Reference reference : references) { + if (!Manifest.TYPE.equals(reference.getType())) { + if (!reference.validate(validateContext)) { + InputStream digestInputStream = reference.getDigestInputStream(); + if (digestInputStream != null) { + try { + log.trace("SignedInfo's reference digest input:\n{}", + StreamUtil.asString(digestInputStream, "UTF-8")); + } catch (IOException e) { + log.info("Failed to get SignedInfos's reference digest input", e.toString()); + } + } + } else { + try { + log.trace("Signature canonicalized data:\n{}", StreamUtil.asString(signature + .getSignedInfo().getCanonicalizedData(), "UTF-8")); + } catch (IOException e) { + log.info("Failed to get canonicalized data.", e); + } + } + break; + } + } + } + + } + } + return signatureValid; + } + + @SuppressWarnings("unchecked") + public boolean verifyManifest() throws MarshalException, XMLSignatureException { + if (manifestValid == null) { + if (getXMLSignature() != null && getSignerCert() != null) { + + DOMValidateContext validateContext = new DOMValidateContext(signerCert.getPublicKey(), node); + if (log.isTraceEnabled()) { + // enable reference caching in trace log-level + validateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE); + } + boolean valid = false; + + // validate manifest + List objects = signature.getObjects(); + for (XMLObject object : objects) { + List content = object.getContent(); + if (content.get(0) instanceof Manifest) { + Manifest manifest = (Manifest) content.get(0); + List references = manifest.getReferences(); + for (Reference reference : references) { + + valid = reference.validate(validateContext); + + // logging + if (!valid && log.isTraceEnabled()) { + InputStream digestInputStream = reference.getDigestInputStream(); + if (digestInputStream != null) { + try { + log.trace("Manifest's reference digest input:\n{}", + StreamUtil.asString(digestInputStream, "UTF-8")); + } catch (IOException e) { + log.info("Failed to get Manifest's reference digest input", e.toString()); + } + } + } + break; + } + } + } + + // validate reference to manifest + if (valid) { + List references = signature.getSignedInfo().getReferences(); + for (Reference reference : references) { + if (Manifest.TYPE.equals(reference.getType())) { + + boolean refValid = reference.validate(validateContext); + + // logging + if (!refValid && log.isTraceEnabled()) { + InputStream digestInputStream = reference.getDigestInputStream(); + if (digestInputStream != null) { + try { + log.trace("SignedInfo's manifest reference digest input:\n{}", + StreamUtil.asString(digestInputStream, "UTF-8")); + } catch (IOException e) { + log.info("Failed to get SignedInfos's manifest reference digest input", e.toString()); + } + } + } + + valid &= refValid; + + } + } + } + + manifestValid = valid; + + } + + } + return manifestValid; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java new file mode 100644 index 00000000..12383861 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java @@ -0,0 +1,43 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +public class IdLinkException extends Exception { + + /** + * + */ + private static final long serialVersionUID = 1L; + + public IdLinkException() { + super(); + } + + public IdLinkException(String message, Throwable cause) { + super(message, cause); + } + + public IdLinkException(String message) { + super(message); + } + + public IdLinkException(Throwable cause) { + super(cause); + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java new file mode 100644 index 00000000..90312af3 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java @@ -0,0 +1,154 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.io.IOException; +import java.net.URL; + +import javax.xml.XMLConstants; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Unmarshaller; +import javax.xml.namespace.QName; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.Source; +import javax.xml.transform.stream.StreamSource; +import javax.xml.validation.Schema; +import javax.xml.validation.SchemaFactory; + +import oasis.names.tc.saml._1_0.assertion.AssertionType; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; + +public class IdLinkFactory { + + protected static Logger log = LoggerFactory.getLogger(IdLinkFactory.class); + + public static final String[] SCHEMA_FILES = new String[] { + "at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd", + "at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd", + "at/gv/egiz/mocca/id/idlschema/PersonData.xsd", + "at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd"}; + + private static class InstanceHolder { + private static final IdLinkFactory INSTANCE = new IdLinkFactory(); + } + + public static IdLinkFactory getInstance() { + return InstanceHolder.INSTANCE; + } + + static { +// InitDOMStructure.init(); + } + + private final Schema idlSchema; + + private final JAXBContext jaxbContext; + + + private IdLinkFactory() { + + try { + SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + Source[] sources = new Source[SCHEMA_FILES.length]; + for (int i = 0; i < SCHEMA_FILES.length; i++) { + String schemaFile = SCHEMA_FILES[i]; + URL schemaURL = cl.getResource(schemaFile); + if (schemaURL == null) { + throw new RuntimeException("Failed to load schema file " + schemaFile + "."); + } + log.debug("Schema location: " + schemaURL); + sources[i] = new StreamSource(schemaURL.openStream()); + } + idlSchema = schemaFactory.newSchema(sources); + } catch (IOException e) { + log.error("Failed to load identity link schema.", e); + throw new RuntimeException(e); + } catch (SAXException e) { + log.error("Failed to load identity link schema.", e); + throw new RuntimeException(e); + } + + StringBuffer packageNames = new StringBuffer(); + packageNames.append(at.gv.e_government.reference.namespace.persondata._20020228_.ObjectFactory.class.getPackage().getName()); + packageNames.append(":"); + packageNames.append(oasis.names.tc.saml._1_0.assertion.ObjectFactory.class.getPackage().getName()); + + try { + jaxbContext = JAXBContext.newInstance(packageNames.toString()); + } catch (JAXBException e) { + // we should not get an JAXBException initializing the JAXBContext + throw new RuntimeException(e); + } + + } + + public IdLink unmarshallIdLink(InputSource source) throws IdLinkException, + ParserConfigurationException, SAXException, IOException, JAXBException { + + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setNamespaceAware(true); + dbf.setSchema(idlSchema); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + + // http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization + try { + dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE); + } catch (IllegalArgumentException e) { + log.warn("Failed to disable schema normalization " + + "(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e); + } + + DocumentBuilder documentBuilder = dbf.newDocumentBuilder(); + Document doc = documentBuilder.parse(source); + + return unmarshallIdLink(doc.getDocumentElement()); + + } + + public IdLink unmarshallIdLink(Element element) throws IdLinkException, JAXBException { + + Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); + unmarshaller.setSchema(idlSchema); + + Object object = unmarshaller.unmarshal(element); + + IdLink idLink; + if (object instanceof JAXBElement + && ((JAXBElement) object).getDeclaredType() == AssertionType.class) { + idLink = new IdLink(element, (AssertionType) ((JAXBElement) object).getValue()); + } else { + throw new IllegalArgumentException("Parameter node is not a " + + new QName("urn:oasis:names:tc:SAML:1.0:assertion", "Assertion")); + } + + return idLink; + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java new file mode 100644 index 00000000..493b92af --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java @@ -0,0 +1,88 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.security.Key; +import java.security.PublicKey; +import java.security.cert.X509Certificate; + +import javax.xml.crypto.AlgorithmMethod; +import javax.xml.crypto.KeySelector; +import javax.xml.crypto.KeySelectorException; +import javax.xml.crypto.KeySelectorResult; +import javax.xml.crypto.MarshalException; +import javax.xml.crypto.XMLCryptoContext; +import javax.xml.crypto.dsig.keyinfo.KeyInfo; +import javax.xml.crypto.dsig.keyinfo.X509Data; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class IdLinkKeySelector extends KeySelector { + + private static Logger log = LoggerFactory.getLogger(IdLinkKeySelector.class); + + private IdLink idLink; + + public IdLinkKeySelector(IdLink idLink) { + super(); + if (idLink == null) { + throw new NullPointerException("Parameter 'idLink' must not be null."); + } + this.idLink = idLink; + } + + @Override + public KeySelectorResult select(KeyInfo keyInfo, Purpose purpose, + AlgorithmMethod method, XMLCryptoContext context) + throws KeySelectorException { + + if (purpose != Purpose.VERIFY) { + throw new KeySelectorException("KeySelector does not support purpose " + + purpose + "."); + } + + try { + for (Object ki : keyInfo.getContent()) { + if (ki instanceof X509Data) { + for (Object xd : ((X509Data) ki).getContent()) { + if (xd instanceof X509Certificate) { + final PublicKey publicKey = ((X509Certificate) xd).getPublicKey(); + if (idLink.getCitizenPublicKeys().contains(publicKey)) { + log.trace("Found matching key {} in identiy link and KeyInfo.", publicKey); + return new KeySelectorResult() { + @Override + public Key getKey() { + return publicKey; + } + }; + } + } + } + } + } + } catch (MarshalException e) { + log.info("Failed to get public keys from identity link.", e); + throw new KeySelectorException(e); + } + + log.info("Did not find matching public keys in the identity link and the KeyInfo."); + return null; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java new file mode 100644 index 00000000..5b6f4453 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java @@ -0,0 +1,76 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.text.DateFormat; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.Date; + +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; + +public class IdLinkPersonData { + + private static final DateFormat DATE_FORMAT = new SimpleDateFormat("yyyy-MM-dd"); + + protected PersonalIdentifier identifier; + + protected String familyName; + + protected String givenName; + + protected Date dateOfBirth; + + public IdLinkPersonData(PhysicalPersonType physicalPerson) throws ParseException { + familyName = physicalPerson.getName().getFamilyName().get(0).getValue(); + givenName = physicalPerson.getName().getGivenName().get(0); + dateOfBirth = DATE_FORMAT.parse(physicalPerson.getDateOfBirth()); + IdentificationType identificationType = physicalPerson.getIdentification().get(0); + if (identificationType != null) { + identifier = new PersonalIdentifier(identificationType.getType(), + identificationType.getValue().getValue()); + } + } + + public String getGivenName() { + return givenName; + } + + public String getFamilyName() { + return familyName; + } + + public Date getDateOfBirth() throws ParseException { + return dateOfBirth; + } + + public PersonalIdentifier getIdentifier() { + return identifier; + } + + /* (non-Javadoc) + * @see java.lang.Object#toString() + */ + @Override + public String toString() { + return familyName + ", " + givenName + ", " + DATE_FORMAT.format(dateOfBirth); + } + + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java new file mode 100644 index 00000000..ad108dc2 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java @@ -0,0 +1,81 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import iaik.utils.Base64OutputStream; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +public class PersonalIdentifier { + + public static final String PREFIX = "urn:publicid:gv.at:"; + + public static final String BASE_ID = PREFIX + "baseid"; + + + protected String type; + + protected String value; + + public PersonalIdentifier(String type, String value) { + this.type = type; + this.value = value; + } + + /** + * @return the type + */ + public String getType() { + return type; + } + + /** + * @return the value + */ + public String getValue() { + return value; + } + + public PersonalIdentifier getDerivedValue(String domainId) { + + if (BASE_ID.equals(type)) { + try { + MessageDigest md = MessageDigest.getInstance("SHA"); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + Base64OutputStream bos = new Base64OutputStream(os); + bos.write(md.digest((value + '+' + domainId).getBytes("ISO-8859-1"))); + bos.flush(); + return new PersonalIdentifier(domainId, os.toString("ASCII")); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } catch (UnsupportedEncodingException e) { + throw new RuntimeException(e); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + return null; + + } + + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java new file mode 100644 index 00000000..8737d39c --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java @@ -0,0 +1,115 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.io.InputStream; +import java.io.StringWriter; +import java.text.DateFormat; +import java.text.ParseException; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.Locale; +import java.util.Map; + +import javax.xml.crypto.MarshalException; +import javax.xml.transform.Templates; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.stream.StreamResult; +import javax.xml.transform.stream.StreamSource; + +import at.gv.egiz.bku.slexceptions.SLRuntimeException; + +public class QESTemplates { + + private Map templatesMap = Collections.synchronizedMap(new HashMap()); + + private synchronized Templates getTemplates(String id) { + + Templates templates = templatesMap.get(id); + if (templates == null) { + templates = loadTemplates(id); + templatesMap.put(id, templates); + } + return templates; + + } + + protected Templates loadTemplates(String id) { + + InputStream xsl = QESTemplates.class.getResourceAsStream("/templates/template.xsl"); + if (xsl == null) { + throw new IllegalArgumentException("Template not found."); + } + TransformerFactory transformerFactory = TransformerFactory.newInstance(); + try { + return transformerFactory.newTemplates(new StreamSource(xsl)); + } catch (TransformerConfigurationException e) { + throw new SLRuntimeException(e); + } + + } + + public String createQESTemplate(String id, Locale locale, IdLink idLink, String url, PersonalIdentifier derivedIdentifier, Date dateTime) { + + Templates templates = getTemplates(id); + try { + Transformer transformer = templates.newTransformer(); + + DateFormat dateFormat = DateFormat.getDateInstance(DateFormat.MEDIUM, locale); + DateFormat timeFormat = DateFormat.getTimeInstance(DateFormat.MEDIUM, locale); + + IdLinkPersonData personData = idLink.getPersonData(); + + transformer.setParameter("givenName", personData.getGivenName()); + transformer.setParameter("familyName", personData.getFamilyName()); + transformer.setParameter("dateOfBirth", dateFormat.format(personData.getDateOfBirth())); + + transformer.setParameter("url", url); + transformer.setParameter("identifierType", derivedIdentifier.getType()); + transformer.setParameter("identifierValue", derivedIdentifier.getValue()); + + transformer.setParameter("date", dateFormat.format(dateTime)); + transformer.setParameter("time", timeFormat.format(dateTime)); + + + StringWriter writer = new StringWriter(); + transformer.transform(new StreamSource(), new StreamResult(writer)); + + + return writer.toString(); + } catch (TransformerConfigurationException e) { + throw new SLRuntimeException(e); + } catch (TransformerException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (MarshalException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (ParseException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + return null; + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java new file mode 100644 index 00000000..9a71b32f --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java @@ -0,0 +1,44 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import java.util.Collections; +import java.util.Set; + +import at.gv.egiz.bku.binding.AbstractBindingProcessorFactory; +import at.gv.egiz.bku.binding.BindingProcessor; +import at.gv.egiz.bku.binding.BindingProcessorFactory; +import at.gv.egiz.bku.utils.binding.Protocol; + +public class SAMLBindingProcessorFactory extends AbstractBindingProcessorFactory implements BindingProcessorFactory { + + private Set supportedProtocols = Collections.singleton(Protocol.SAML); + + @Override + public Set getSupportedProtocols() { + return supportedProtocols; + } + + @Override + public BindingProcessor createBindingProcessor() { + SAMLBindingProcessorImpl bindingProcessor = new SAMLBindingProcessorImpl(); + configureBindingProcessor(bindingProcessor); + return bindingProcessor; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java new file mode 100644 index 00000000..ce4ac425 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java @@ -0,0 +1,357 @@ +/* + * Copyright 2009 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package at.gv.egiz.mocca.id; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.nio.charset.Charset; +import java.util.Collections; +import java.util.Date; +import java.util.Iterator; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletResponse; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.crypto.MarshalException; +import javax.xml.crypto.dsig.XMLSignature; +import javax.xml.crypto.dsig.XMLSignatureException; +import javax.xml.crypto.dsig.XMLSignatureFactory; +import javax.xml.crypto.dsig.dom.DOMValidateContext; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import at.buergerkarte.namespaces.securitylayer._1.AnyChildrenType; +import at.buergerkarte.namespaces.securitylayer._1.Base64XMLLocRefOptRefContentType; +import at.buergerkarte.namespaces.securitylayer._1.CreateXMLSignatureRequestType; +import at.buergerkarte.namespaces.securitylayer._1.DataObjectInfoType; +import at.buergerkarte.namespaces.securitylayer._1.InfoboxReadParamsBinaryFileType; +import at.buergerkarte.namespaces.securitylayer._1.InfoboxReadRequestType; +import at.buergerkarte.namespaces.securitylayer._1.MetaInfoType; +import at.buergerkarte.namespaces.securitylayer._1.ObjectFactory; +import at.buergerkarte.namespaces.securitylayer._1.TransformsInfoType; +import at.gv.egiz.bku.binding.FormParameter; +import at.gv.egiz.bku.binding.HTTPBindingProcessor; +import at.gv.egiz.bku.binding.HttpUtil; +import at.gv.egiz.bku.binding.InputDecoder; +import at.gv.egiz.bku.binding.InputDecoderFactory; +import at.gv.egiz.bku.slcommands.CreateXMLSignatureResult; +import at.gv.egiz.bku.slcommands.ErrorResult; +import at.gv.egiz.bku.slcommands.InfoboxReadResult; +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slcommands.SLCommandFactory; +import at.gv.egiz.bku.slcommands.SLResult; +import at.gv.egiz.bku.slexceptions.SLCommandException; +import at.gv.egiz.bku.slexceptions.SLVersionException; + +public class SAMLBindingProcessorImpl extends + AbstractCommandSequenceBindingProcessor implements HTTPBindingProcessor { + + private static final Logger log = LoggerFactory + .getLogger(SAMLBindingProcessorImpl.class); + + private String requestContentType; + + private String domainIdentifier = "urn:publicid:gv.at:wbpk+FN+468924i"; + + private String keyBoxIdentifier = "SecureSignatureKeypair"; + + private String url = "www.egiz.gv.at"; + + private QESTemplates templates = new QESTemplates(); + + private IdLink idLink; + + private Element signature; + + private SLResult errorResponse; + + @Override + protected void processResult(SLResult result) { + if (result instanceof ErrorResult) { + ErrorResult errorResult = (ErrorResult) result; + log.info("Got ErrorResponse {}: {}", errorResult.getErrorCode(), + errorResult.getInfo()); + errorResponse = result; + return; + } else if (result instanceof InfoboxReadResult) { + try { + processInfoboxReadResult((InfoboxReadResult) result); + if (idLink != null) { + try { + IdLinkPersonData personData = idLink.getPersonData(); + log.info("Got idLink for {}.", personData); + } catch (MarshalException e) { + log.info("Failed to unmarshal idLink."); + } + } + } catch (JAXBException e) { + log.info("InfoboxReadResult contains unexpected data.", e); + errorResponse = result; + } catch (IdLinkException e) { + log.info("InfoboxReadResult contains invalid identity link.", e); + errorResponse = result; + } + } else if (result instanceof CreateXMLSignatureResult) { + signature = ((CreateXMLSignatureResult) result).getContent(); + log.info("Got signature."); + boolean valid = validate(signature) && validate(idLink); + log.info("Signature is valid: " + valid); + } + } + + @Override + protected SLCommand getNextCommand() { + + JAXBElement request = null; + if (errorResponse == null) { + if (idLink == null) { + request = createReadInfoboxRequest(domainIdentifier); + } else if (signature == null) { + request = createXMLSignatureRequest(); + } + } + + if (request != null) { + SLCommandFactory commandFactory = SLCommandFactory.getInstance(); + try { + return commandFactory.createSLCommand(request); + } catch (SLCommandException e) { + log.error("Failed to create SLCommand.", e); + setError(e); + } catch (SLVersionException e) { + log.error("Failed to create SLCommand.", e); + setError(e); + } + } + + return null; + } + + protected void processInfoboxReadResult(InfoboxReadResult result) + throws JAXBException, IdLinkException { + + Object object = result.getContent(); + if (object instanceof byte[]) { + log.info("InfoboxReadResult contains unexpected binary data."); + errorResponse = result; + return; + } else if (object instanceof List) { + JAXBException exception = null; + for (Object content : (List) object) { + if (content instanceof Element) { + try { + idLink = IdLinkFactory.getInstance().unmarshallIdLink( + (Element) content); + return; + } catch (JAXBException e) { + exception = e; + } + } + } + if (exception != null) { + throw exception; + } + } + + } + + @Override + public void setHTTPHeaders(Map headerMap) { + for (String header : headerMap.keySet()) { + if (HttpUtil.HTTP_HEADER_CONTENT_TYPE.equalsIgnoreCase(header)) { + requestContentType = headerMap.get(header); + } + } + } + + @Override + public void consumeRequestStream(String url, InputStream is) { + InputDecoder inputDecoder = InputDecoderFactory.getDecoder( + requestContentType, is); + Iterator fpi = inputDecoder.getFormParameterIterator(); + while (fpi.hasNext()) { + FormParameter formParameter = fpi.next(); + if ("BKUUrl".equals(formParameter.getFormParameterName())) { + setExternal(true); + } + } + } + + @Override + public String getResultContentType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void writeResultTo(OutputStream os, String encoding) + throws IOException { + // TODO Auto-generated method stub + + } + + protected JAXBElement createReadInfoboxRequest( + String domainIdentifier) { + + ObjectFactory factory = new ObjectFactory(); + + InfoboxReadRequestType infoboxReadRequestType = factory + .createInfoboxReadRequestType(); + infoboxReadRequestType.setInfoboxIdentifier("IdentityLink"); + + InfoboxReadParamsBinaryFileType infoboxReadParamsBinaryFileType = factory + .createInfoboxReadParamsBinaryFileType(); + infoboxReadParamsBinaryFileType.setContentIsXMLEntity(true); + infoboxReadRequestType + .setBinaryFileParameters(infoboxReadParamsBinaryFileType); + + if (domainIdentifier != null) { + JAXBElement identityLinkDomainIdentifier = factory + .createIdentityLinkDomainIdentifier(domainIdentifier); + AnyChildrenType anyChildrenType = factory.createAnyChildrenType(); + anyChildrenType.getAny().add(identityLinkDomainIdentifier); + + infoboxReadRequestType.setBoxSpecificParameters(anyChildrenType); + } + + return factory.createInfoboxReadRequest(infoboxReadRequestType); + + } + + protected JAXBElement createXMLSignatureRequest() { + + ObjectFactory factory = new ObjectFactory(); + + CreateXMLSignatureRequestType createXMLSignatureRequest = factory + .createCreateXMLSignatureRequestType(); + createXMLSignatureRequest.setKeyboxIdentifier(keyBoxIdentifier); + + DataObjectInfoType dataObjectInfoType = factory.createDataObjectInfoType(); + dataObjectInfoType.setStructure("enveloping"); + + TransformsInfoType transformsInfoType = factory.createTransformsInfoType(); + MetaInfoType metaInfoType = factory.createMetaInfoType(); + metaInfoType.setMimeType("application/xhtml+xml"); + transformsInfoType.setFinalDataMetaInfo(metaInfoType); + + dataObjectInfoType.getTransformsInfo().add(transformsInfoType); + + Base64XMLLocRefOptRefContentType contentType = factory + .createBase64XMLLocRefOptRefContentType(); + + PersonalIdentifier identifier; + try { + identifier = idLink.getPersonData().getIdentifier(); + } catch (MarshalException e) { + setError(e); + return null; + } + if ("urn:publicid:gv.at:baseid".equals(identifier.getType())) { + identifier = identifier.getDerivedValue(domainIdentifier); + } + String template = templates.createQESTemplate("test", locale, idLink, "", + identifier, new Date()); + + contentType.setBase64Content(template.getBytes(Charset.forName("UTF-8"))); + + dataObjectInfoType.setDataObject(contentType); + + createXMLSignatureRequest.getDataObjectInfo().add(dataObjectInfoType); + + return factory.createCreateXMLSignatureRequest(createXMLSignatureRequest); + + } + + protected boolean validate(IdLink idLink) { + try { + if (domainIdentifier != null && domainIdentifier.startsWith("urn:publicid:gv.at:ccid")) { + if (!idLink.verifyManifest()) { + log.info("Identity link manifest verification failed."); + return false; + } + } + if (idLink.verifySignature()) { + return true; + } + } catch (MarshalException e) { + log.info("Identity link signature verification failed.", e); + } catch (XMLSignatureException e) { + log.info("Identity link signature verification failed.", e); + } + log.info("Identity link signature verification failed."); + return false; + } + + + protected boolean validate(Element signature) { + + Document doc = signature.getOwnerDocument(); + if (signature != signature.getOwnerDocument().getDocumentElement()) { + doc.replaceChild(signature, doc.getDocumentElement()); + } + + XMLSignatureFactory xmlSignatureFactory = XMLSignatureFactory.getInstance(); + + try { + IdLinkKeySelector keySelector = new IdLinkKeySelector(idLink); + DOMValidateContext validateContext = new DOMValidateContext(keySelector, signature); + + XMLSignature xmlSignature = xmlSignatureFactory + .unmarshalXMLSignature(validateContext); + + return xmlSignature.validate(validateContext); + } catch (MarshalException e) { + log.info("Failed to unmarshall signature.", e); + } catch (XMLSignatureException e) { + log.info("Failed to validate signature.", e); + } + return false; + } + + @Override + public InputStream getFormData(String parameterName) { + if ("appletPage".equals(parameterName)) { + String appletPage = (isExternal()) ? "local.jsp" : "applet.jsp"; + return new ByteArrayInputStream(appletPage.getBytes()); + } + return null; + } + + @Override + public String getRedirectURL() { + return null; + } + + @Override + public int getResponseCode() { + return HttpServletResponse.SC_OK; + } + + @Override + public Map getResponseHeaders() { + return Collections.emptyMap(); + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java new file mode 100644 index 00000000..0209ca79 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java @@ -0,0 +1,33 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import javax.servlet.http.HttpServletRequest; + +import at.gv.egiz.bku.online.webapp.AbstractWebRequestHandler; + +public class SAMLRequestHandler extends AbstractWebRequestHandler { + + private static final long serialVersionUID = 1L; + + @Override + protected String getRequestProtocol(HttpServletRequest req) { + return "SAML"; + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java new file mode 100644 index 00000000..2e46a220 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java @@ -0,0 +1,100 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.mocca.id; + +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slcommands.SLCommandContext; +import at.gv.egiz.bku.slcommands.SLResult; +import at.gv.egiz.bku.slcommands.impl.ErrorResultImpl; +import at.gv.egiz.bku.slexceptions.SLCommandException; + +public class SLCommandBrocker { + + private Sync commandSync = new Sync(); + + private Sync resultSync = new Sync(); + + public SLResult execute(SLCommand command, SLCommandContext context, long timeout) throws InterruptedException { + try { + commandSync.put(command, timeout); + if (command != null) { + return resultSync.get(timeout); + } else { + return null; + } + } catch (SLCommandException e) { + return new ErrorResultImpl(e, context.getLocale()); + } + } + + public SLCommand nextCommand(SLResult result, long timeout) throws SLCommandException, InterruptedException { + if (result != null) { + resultSync.put(result, timeout); + } + return commandSync.get(timeout); + } + + public class Sync { + + private boolean available; + + private R r; + + public synchronized R get(long timeout) throws SLCommandException, InterruptedException { + + long t0 = System.currentTimeMillis(); + long elapsed = 0; + + while (!available) { + wait(timeout - elapsed); + elapsed = System.currentTimeMillis() - t0; + if (elapsed > timeout) { + notifyAll(); + throw new SLCommandException(6000); + } + } + + R r = this.r; + this.r = null; + available = false; + notifyAll(); + return r; + } + + public synchronized void put(R r, long timeout) throws SLCommandException, InterruptedException { + + long t0 = System.currentTimeMillis(); + long elapsed = 0; + + while (available) { + wait(timeout - elapsed); + elapsed = System.currentTimeMillis() - t0; + if (elapsed > timeout) { + notifyAll(); + throw new SLCommandException(6000); + } + } + + this.r = r; + available = true; + notifyAll(); + } + + } + +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java index 305d8c1c..5940f505 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java @@ -19,27 +19,50 @@ package at.gv.egiz.stal.service.impl; import java.util.Locale; +import org.apache.commons.configuration.Configuration; + +import at.gv.egiz.bku.conf.MoccaConfigurationFacade; +import at.gv.egiz.bku.jmx.ComponentMXBean; +import at.gv.egiz.bku.jmx.ComponentState; import at.gv.egiz.stal.STAL; import at.gv.egiz.stal.STALFactory; /** * - * @author clemens + * @author clemens, mcentner */ -public class RequestBrokerSTALFactory implements STALFactory { - - private static long timeout = -1; +public class RequestBrokerSTALFactory implements STALFactory, ComponentMXBean { - @Override - public STAL createSTAL() { - return new STALRequestBrokerImpl(timeout); - } + public final ConfigurationFacade configurationFacade = new ConfigurationFacade(); + + public class ConfigurationFacade implements MoccaConfigurationFacade { + + private Configuration configuration; + + public static final String APPLET_TIMEOUT = "AppletTimeout"; - @Override - public void setLocale(Locale locale) { + public int getAppletTimeout() { + return configuration.getInteger(APPLET_TIMEOUT, -1); } + + } + + public void setConfiguration(Configuration configuration) { + configurationFacade.configuration = configuration; + } + + @Override + public STAL createSTAL() { + return new STALRequestBrokerImpl(configurationFacade.getAppletTimeout()); + } + + @Override + public void setLocale(Locale locale) { + } + + @Override + public ComponentState checkComponentState() { + return new ComponentState(true); + } - public static void setTimeout(long millisec) { - timeout = millisec; - } } diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java index a2447ab7..5705a9f7 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java @@ -34,8 +34,8 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; import javax.xml.bind.JAXBElement; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * An instance of STALRequestBroker is shared between a producer thread (SLCommand) @@ -50,7 +50,7 @@ import org.apache.commons.logging.LogFactory; */ public class STALRequestBrokerImpl implements STALRequestBroker { - private static final Log log = LogFactory.getLog(STALRequestBrokerImpl.class); + private final Logger log = LoggerFactory.getLogger(STALRequestBrokerImpl.class); private ObjectFactory of = new ObjectFactory(); private STALTranslator translator = new STALTranslator(); @@ -173,7 +173,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("waiting to consume response"); responses.wait(timeout); if (System.currentTimeMillis() - beforeWait >= timeout) { - log.warn("timeout while waiting to consume response, cleanup requests"); + log.warn("Timeout while waiting to consume response, cleanup requests."); requests.clear(); hashDataInputs.clear(); return Collections.singletonList((STALResponse) new ErrorResponse(ERR_4500)); @@ -218,7 +218,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("waiting to consume request"); requests.wait(timeout); if (System.currentTimeMillis() - beforeWait >= timeout) { - log.warn("timeout while waiting to consume request"); + log.warn("Timeout while waiting to consume request."); return createSingleQuitRequest(); } } @@ -250,11 +250,11 @@ public class STALRequestBrokerImpl implements STALRequestBroker { } try { synchronized (requests) { - log.trace("received responses, now consume request"); + log.trace("Received responses, now consume request."); if (requests.size() != 0) { requests.clear(); } else { - log.warn("requests queue is empty, response might have already been produced previously "); + log.warn("Requests queue is empty, response might have already been produced previously."); // return QUIT? } } @@ -266,7 +266,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("waiting to produce response"); responses.wait(timeout); if (System.currentTimeMillis() - beforeWait >= timeout) { - log.warn("timeout while waiting to produce response"); + log.warn("Timeout while waiting to produce response."); return createSingleQuitRequest(); } } @@ -281,7 +281,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("notifying response consumers"); responses.notify(); } else { - log.error("Received NextRequest without responses, return QUIT"); + log.error("Received NextRequest without responses, return QUIT."); return createSingleQuitRequest(); } } @@ -292,11 +292,11 @@ public class STALRequestBrokerImpl implements STALRequestBroker { log.trace("waiting to consume request"); requests.wait(timeout); if (System.currentTimeMillis() - beforeWait >= timeout) { - log.warn("timeout while waiting to consume request"); + log.warn("Timeout while waiting to consume request."); return createSingleQuitRequest(); } } - log.trace("don't consume request now, but on next response delivery"); + log.trace("Don't consume request now, but on next response delivery."); return requests; } } catch (InterruptedException ex) { @@ -309,7 +309,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker { @Override public List getHashDataInput() { synchronized (requests) { - log.trace("return " + hashDataInputs.size() + " current HashDataInput(s) "); + log.trace("Return {} current HashDataInput(s).", hashDataInputs.size()); return hashDataInputs; } } diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java index c8ab280f..e32dad8f 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java @@ -16,13 +16,30 @@ */ package at.gv.egiz.stal.service.impl; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.annotation.Resource; +import javax.jws.WebService; +import javax.servlet.ServletContext; +import javax.xml.bind.JAXBElement; +import javax.xml.ws.WebServiceContext; +import javax.xml.ws.handler.MessageContext; + +import org.slf4j.MDC; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import at.buergerkarte.namespaces.cardchannel.service.CommandAPDUType; import at.buergerkarte.namespaces.cardchannel.service.ScriptType; import at.gv.egiz.bku.binding.BindingProcessor; import at.gv.egiz.bku.binding.BindingProcessorManager; import at.gv.egiz.bku.binding.Id; import at.gv.egiz.bku.binding.IdFactory; - import at.gv.egiz.stal.HashDataInput; import at.gv.egiz.stal.service.GetHashDataInputFault; import at.gv.egiz.stal.service.STALPortType; @@ -38,25 +55,8 @@ import at.gv.egiz.stal.service.types.RequestType; import at.gv.egiz.stal.service.types.ResponseType; import at.gv.egiz.stal.service.types.SignRequestType; import at.gv.egiz.stal.service.types.GetHashDataInputType.Reference; -//import at.gv.egiz.stal.service.types.GetHashDataInputResponseType.Reference; import com.sun.xml.ws.developer.UsesJAXBContext; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.nio.charset.Charset; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import javax.annotation.Resource; -import javax.jws.WebService; -import javax.servlet.ServletContext; -import javax.xml.bind.JAXBElement; -import javax.xml.ws.WebServiceContext; -import javax.xml.ws.handler.MessageContext; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; /** * @@ -68,10 +68,10 @@ public class STALServiceImpl implements STALPortType { public static final String BINDING_PROCESSOR_MANAGER = "bindingProcessorManager"; public static final Id TEST_SESSION_ID = IdFactory.getInstance().createId("TestSession"); - protected static final Log log = LogFactory.getLog(STALServiceImpl.class); - + private final Logger log = LoggerFactory.getLogger(STALServiceImpl.class); static { + Logger log = LoggerFactory.getLogger(STALServiceImpl.class); if (log.isTraceEnabled()) { log.trace("enabling webservice communication dump"); System.setProperty("com.sun.xml.ws.transport.http.HttpAdapter.dump", "true"); @@ -91,227 +91,242 @@ public class STALServiceImpl implements STALPortType { public GetNextRequestResponseType connect(String sessId) { if (sessId == null) { - throw new NullPointerException("No session id provided"); + throw new NullPointerException("No session id provided."); } Id sessionId = idF.createId(sessId); + MDC.put("id", sessionId.toString()); - if (log.isDebugEnabled()) { - log.debug("Received Connect [" + sessionId + "]"); - } - - if (TEST_SESSION_ID.equals(sessionId)) { - return getTestSessionNextRequestResponse(null); - } - - GetNextRequestResponseType response = new GetNextRequestResponseType(); - response.setSessionId(sessionId.toString()); - - STALRequestBroker stal = getStal(sessionId); - - if (stal != null) { - - List> requestsOut = ((STALRequestBroker) stal).connect(); - response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut); - - if (log.isDebugEnabled()) { - StringBuilder sb = new StringBuilder("Returning initial GetNextRequestResponse ["); - sb.append(sessionId.toString()); - sb.append("] containing "); - sb.append(requestsOut.size()); - sb.append(" requests: "); - for (JAXBElement reqOut : requestsOut) { - sb.append(reqOut.getValue().getClass()); - sb.append(' '); + try { + log.debug("Received Connect."); + + if (TEST_SESSION_ID.equals(sessionId)) { + return getTestSessionNextRequestResponse(null); + } + + GetNextRequestResponseType response = new GetNextRequestResponseType(); + response.setSessionId(sessionId.toString()); + + STALRequestBroker stal = getStal(sessionId); + + if (stal != null) { + + List> requestsOut = ((STALRequestBroker) stal).connect(); + response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut); + + if (log.isDebugEnabled()) { + StringBuilder sb = new StringBuilder("Returning initial GetNextRequestResponse containing "); + sb.append(requestsOut.size()); + sb.append(" requests: "); + for (JAXBElement reqOut : requestsOut) { + sb.append(reqOut.getValue().getClass()); + sb.append(' '); + } + log.debug(sb.toString()); } - log.debug(sb.toString()); + } else { + log.error("Failed to get STAL, returning QuitRequest."); + QuitRequestType quitT = stalObjFactory.createQuitRequestType(); + JAXBElement quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT); + response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit); } - } else { - log.error("Failed to get STAL for session " + sessionId + ", returning QuitRequest"); - QuitRequestType quitT = stalObjFactory.createQuitRequestType(); - JAXBElement quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT); - response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit); + return response; + + } finally { + MDC.remove("id"); } - return response; } @Override public GetNextRequestResponseType getNextRequest(GetNextRequestType request) { if (request.getSessionId() == null) { - throw new NullPointerException("No session id provided"); + throw new NullPointerException("No session id provided."); } Id sessionId = idF.createId(request.getSessionId()); + MDC.put("id", sessionId.toString()); - List> responsesIn = request.getInfoboxReadResponseOrSignResponseOrErrorResponse(); -// List responsesIn = request.getInfoboxReadResponseOrSignResponseOrErrorResponse();//getResponse(); + try { - if (log.isDebugEnabled()) { - StringBuilder sb = new StringBuilder("Received GetNextRequest ["); - sb.append(sessionId.toString()); - sb.append("] containing "); - sb.append(responsesIn.size()); - sb.append(" responses: "); - for (JAXBElement respIn : responsesIn) { - sb.append(respIn.getValue().getClass()); - sb.append(' '); - } - log.debug(sb.toString()); - } - - if (TEST_SESSION_ID.equals(sessionId)) { - return getTestSessionNextRequestResponse(responsesIn); - } - - GetNextRequestResponseType response = new GetNextRequestResponseType(); - response.setSessionId(sessionId.toString()); - - STALRequestBroker stal = getStal(sessionId); - - if (stal != null) { - - List> requestsOut = ((STALRequestBroker) stal).nextRequest(responsesIn); - response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut); + List> responsesIn = request.getInfoboxReadResponseOrSignResponseOrErrorResponse(); if (log.isDebugEnabled()) { - StringBuilder sb = new StringBuilder("Returning GetNextRequestResponse ["); - sb.append(sessionId.toString()); - sb.append("] containing "); - sb.append(requestsOut.size()); - sb.append(" requests: "); - for (JAXBElement reqOut : requestsOut) { - sb.append(reqOut.getValue().getClass()); + StringBuilder sb = new StringBuilder("Received GetNextRequest containing "); + sb.append(responsesIn.size()); + sb.append(" responses: "); + for (JAXBElement respIn : responsesIn) { + sb.append(respIn.getValue().getClass()); sb.append(' '); } log.debug(sb.toString()); } - } else { - log.error("Failed to get STAL for session " + sessionId + ", returning QuitRequest"); - QuitRequestType quitT = stalObjFactory.createQuitRequestType(); - JAXBElement quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT); - response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit); + + if (TEST_SESSION_ID.equals(sessionId)) { + return getTestSessionNextRequestResponse(responsesIn); + } + + GetNextRequestResponseType response = new GetNextRequestResponseType(); + response.setSessionId(sessionId.toString()); + + STALRequestBroker stal = getStal(sessionId); + + if (stal != null) { + + List> requestsOut = ((STALRequestBroker) stal).nextRequest(responsesIn); + response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut); + + if (log.isDebugEnabled()) { + StringBuilder sb = new StringBuilder("Returning GetNextRequestResponse containing "); + sb.append(requestsOut.size()); + sb.append(" requests: "); + for (JAXBElement reqOut : requestsOut) { + sb.append(reqOut.getValue().getClass()); + sb.append(' '); + } + log.debug(sb.toString()); + } + } else { + log.error("Failed to get STAL, returning QuitRequest."); + QuitRequestType quitT = stalObjFactory.createQuitRequestType(); + JAXBElement quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT); + response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit); + } + return response; + + } finally { + MDC.remove("id"); } - return response; } @Override public GetHashDataInputResponseType getHashDataInput(GetHashDataInputType request) throws GetHashDataInputFault { if (request.getSessionId() == null) { - throw new NullPointerException("No session id provided"); + throw new NullPointerException("No session id provided."); } Id sessionId = idF.createId(request.getSessionId()); + MDC.put("id", sessionId.toString()); - if (log.isDebugEnabled()) { - log.debug("Received GetHashDataInputRequest for session " + sessionId + " containing " + request.getReference().size() + " reference(s)"); - } - - if (TEST_SESSION_ID.equals(sessionId)) { - return getTestSessionHashDataInputResponse(request.getReference()); - } - - GetHashDataInputResponseType response = new GetHashDataInputResponseType(); - response.setSessionId(sessionId.toString()); - - STALRequestBroker stal = getStal(sessionId); - - if (stal != null) { - List hashDataInputs = stal.getHashDataInput(); - - if (hashDataInputs != null) { - - Map hashDataIdMap = new HashMap(); - for (HashDataInput hdi : hashDataInputs) { - if (log.isTraceEnabled()) { - log.trace("Provided HashDataInput for reference " + hdi.getReferenceId()); - } - hashDataIdMap.put(hdi.getReferenceId(), hdi); - } - - List reqRefs = request.getReference(); - for (GetHashDataInputType.Reference reqRef : reqRefs) { - String reqRefId = reqRef.getID(); - HashDataInput reqHdi = hashDataIdMap.get(reqRefId); - if (reqHdi == null) { - String msg = "Failed to resolve HashDataInput for reference " + reqRefId; - log.error(msg); - GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); - faultInfo.setErrorCode(1); - faultInfo.setErrorMessage(msg); - throw new GetHashDataInputFault(msg, faultInfo); - } - - InputStream hashDataIS = reqHdi.getHashDataInput(); - if (hashDataIS == null) { - //HashDataInput not cached? - String msg = "Failed to obtain HashDataInput for reference " + reqRefId + ", reference not cached"; - log.error(msg); - GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); - faultInfo.setErrorCode(1); - faultInfo.setErrorMessage(msg); - throw new GetHashDataInputFault(msg, faultInfo); + try { + + if (log.isDebugEnabled()) { + log.debug("Received GetHashDataInputRequest containing {} reference(s).", request.getReference().size()); + } + + if (TEST_SESSION_ID.equals(sessionId)) { + return getTestSessionHashDataInputResponse(request.getReference()); + } + + GetHashDataInputResponseType response = new GetHashDataInputResponseType(); + response.setSessionId(sessionId.toString()); + + STALRequestBroker stal = getStal(sessionId); + + if (stal != null) { + List hashDataInputs = stal.getHashDataInput(); + + if (hashDataInputs != null) { + + Map hashDataIdMap = new HashMap(); + for (HashDataInput hdi : hashDataInputs) { + if (log.isTraceEnabled()) { + log.trace("Provided HashDataInput for reference {}.", hdi.getReferenceId()); + } + hashDataIdMap.put(hdi.getReferenceId(), hdi); } - ByteArrayOutputStream baos = null; - try { - if (log.isDebugEnabled()) { - log.debug("Resolved HashDataInput " + reqRefId + " (" + reqHdi.getMimeType() + ";charset=" + reqHdi.getEncoding() + ")"); + + List reqRefs = request.getReference(); + for (GetHashDataInputType.Reference reqRef : reqRefs) { + String reqRefId = reqRef.getID(); + HashDataInput reqHdi = hashDataIdMap.get(reqRefId); + if (reqHdi == null) { + String msg = "Failed to resolve HashDataInput for reference " + reqRefId; + log.error(msg); + GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); + faultInfo.setErrorCode(1); + faultInfo.setErrorMessage(msg); + throw new GetHashDataInputFault(msg, faultInfo); } - baos = new ByteArrayOutputStream(hashDataIS.available()); - int c; - while ((c = hashDataIS.read()) != -1) { - baos.write(c); + + InputStream hashDataIS = reqHdi.getHashDataInput(); + if (hashDataIS == null) { + //HashDataInput not cached? + String msg = "Failed to obtain HashDataInput for reference " + reqRefId + ", reference not cached"; + log.error(msg); + GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); + faultInfo.setErrorCode(1); + faultInfo.setErrorMessage(msg); + throw new GetHashDataInputFault(msg, faultInfo); } - GetHashDataInputResponseType.Reference ref = new GetHashDataInputResponseType.Reference(); - ref.setID(reqRefId); - ref.setMimeType(reqHdi.getMimeType()); - ref.setEncoding(reqHdi.getEncoding()); - ref.setFilename(reqHdi.getFilename()); - ref.setValue(baos.toByteArray()); - response.getReference().add(ref); - } catch (IOException ex) { - String msg = "Failed to get HashDataInput for reference " + reqRefId; - log.error(msg, ex); - GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); - faultInfo.setErrorCode(1); - faultInfo.setErrorMessage(msg); - throw new GetHashDataInputFault(msg, faultInfo, ex); - } finally { + ByteArrayOutputStream baos = null; try { - baos.close(); + if (log.isDebugEnabled()) { + Object[] args = {reqRefId, reqHdi.getMimeType(), reqHdi.getEncoding()}; + log.debug("Resolved HashDataInput {} ({};charset={}).", args); + } + baos = new ByteArrayOutputStream(hashDataIS.available()); + int c; + while ((c = hashDataIS.read()) != -1) { + baos.write(c); + } + GetHashDataInputResponseType.Reference ref = new GetHashDataInputResponseType.Reference(); + ref.setID(reqRefId); + ref.setMimeType(reqHdi.getMimeType()); + ref.setEncoding(reqHdi.getEncoding()); + ref.setFilename(reqHdi.getFilename()); + ref.setValue(baos.toByteArray()); + response.getReference().add(ref); } catch (IOException ex) { + String msg = "Failed to get HashDataInput for reference " + reqRefId; + log.error(msg, ex); + GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); + faultInfo.setErrorCode(1); + faultInfo.setErrorMessage(msg); + throw new GetHashDataInputFault(msg, faultInfo, ex); + } finally { + try { + baos.close(); + } catch (IOException ex) { + } } } + return response; + } else { + String msg = "Failed to resolve any HashDataInputs."; + log.error(msg); + GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); + faultInfo.setErrorCode(1); + faultInfo.setErrorMessage(msg); + throw new GetHashDataInputFault(msg, faultInfo); } - return response; } else { - String msg = "Failed to resolve any HashDataInputs for session " + sessionId; + String msg = "Session timeout."; //Failed to get STAL for session " + sessionId; log.error(msg); GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); faultInfo.setErrorCode(1); faultInfo.setErrorMessage(msg); throw new GetHashDataInputFault(msg, faultInfo); } - } else { - String msg = "Session timeout"; //Failed to get STAL for session " + sessionId; - log.error(msg + " " + sessionId); - GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType(); - faultInfo.setErrorCode(1); - faultInfo.setErrorMessage(msg); - throw new GetHashDataInputFault(msg, faultInfo); + + } finally { + MDC.remove("id"); } } private STALRequestBroker getStal(Id sessionId) { - if (log.isTraceEnabled()) { - log.trace("resolve STAL for session " + sessionId); - } + log.trace("Resolve STAL for session [{}].", sessionId); MessageContext mCtx = wsContext.getMessageContext(); ServletContext sCtx = (ServletContext) mCtx.get(MessageContext.SERVLET_CONTEXT); BindingProcessorManager bpMgr = (BindingProcessorManager) sCtx.getAttribute(BINDING_PROCESSOR_MANAGER); - BindingProcessor bp = bpMgr.getBindingProcessor(sessionId); - return (bp == null) ? null : (bp.isFinished() ? null : (STALRequestBroker) bp.getSTAL()); + BindingProcessor bindingProcessor = bpMgr.getBindingProcessor(sessionId); + if (bindingProcessor != null) { + if (bindingProcessor.getSTAL() instanceof STALRequestBroker) { + return (STALRequestBroker) bindingProcessor.getSTAL(); + } + } + return null; } private GetNextRequestResponseType getTestSessionNextRequestResponse(List> responsesIn) { @@ -359,6 +374,7 @@ public class STALServiceImpl implements STALPortType { return response; } + @SuppressWarnings("unused") private void addTestCardChannelRequest(List> requestList) { log.info("[TestSession] add CARDCHANNEL request"); ScriptType scriptT = ccObjFactory.createScriptType(); @@ -368,6 +384,7 @@ public class STALServiceImpl implements STALPortType { requestList.add(ccObjFactory.createScript(scriptT)); } + @SuppressWarnings("unused") private void addTestInfoboxReadRequest(String infoboxIdentifier, List> requestList) { log.info("[TestSession] add READ "+ infoboxIdentifier + " request"); InfoboxReadRequestType ibrT = stalObjFactory.createInfoboxReadRequestType(); diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java index 9caf950f..300f01d0 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java @@ -23,8 +23,8 @@ import com.sun.xml.ws.developer.JAXBContextFactory; import java.util.ArrayList; import java.util.List; import javax.xml.bind.JAXBException; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * @@ -32,8 +32,9 @@ import org.apache.commons.logging.LogFactory; */ public class STALXJAXBContextFactory implements JAXBContextFactory { - private static final Log log = LogFactory.getLog(STALXJAXBContextFactory.class); + private final Logger log = LoggerFactory.getLogger(STALXJAXBContextFactory.class); + @SuppressWarnings("unchecked") @Override public JAXBRIContext createJAXBContext(SEIModel sei, List classesToBind, List typeReferences) throws JAXBException { if (log.isTraceEnabled()) { diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java index 2f58bb3d..45efc890 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java +++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java @@ -6,13 +6,11 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public final class TestSignatureData { - protected final static Log log = LogFactory.getLog(TestSignatureData.class); - public static final String[] ID = new String[] {"signed-data-reference-0-1214921968-27971781-24309", "signed-data-reference-1"}; public static final String ENCODING = "UTF-8"; @@ -22,6 +20,7 @@ public final class TestSignatureData { HASHDATA_INPUT.put(ID[0], "Ich bin ein einfacher Text. lläöü߀".getBytes(ENCODING)); HASHDATA_INPUT.put(ID[1], "2te referenz".getBytes(ENCODING)); } catch (UnsupportedEncodingException ex) { + Logger log = LoggerFactory.getLogger(TestSignatureData.class); log.error("failed to init signature test data", ex); } } diff --git a/BKUOnline/src/main/policy/50mocca.policy b/BKUOnline/src/main/policy/50mocca.policy index 2d6bc13d..8cda9eb6 100644 --- a/BKUOnline/src/main/policy/50mocca.policy +++ b/BKUOnline/src/main/policy/50mocca.policy @@ -18,8 +18,7 @@ // || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION // ========================================================================= // -// (set -Djava.security.debug=access,failure and search for "FAILED") -// +// (set -Djava.security.debug=access,failure and search for "denied" (failed)) // // ========== MOCCA CODE PERMISSIONS ======================================= // @@ -27,9 +26,11 @@ // with ${catalina.base}/webapps/ // replace ${catalina.base}/work/Catalina/localhost/bkuonline // with ${catalina.base}/work/Catalina/localhost/ (the path to the compiled JSPs, excl. package dir: org/apache/jsp/) -// replace version info in utils-1.2.10.jar and bkucommon-1.2.10.jar +// replace version info in +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar and +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar // with current version -// replace apps.egiz.gv.at +// replace www.sozialversicherung.gv.at:443 // with // replace localhost:8080 // with @@ -40,7 +41,7 @@ // // replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at // with -// replace ldap.a-trust.at:389 and ocsp.ecard.sozialversicherung.at:80 +// replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80 // with (OCSP, CRLs) // @@ -49,6 +50,8 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/logging.properties", "read"; + // (for manager webapp) + // permission java.lang.RuntimePermission "setContextClassLoader"; }; grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" { @@ -58,47 +61,25 @@ grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" { // =========== MOCCA grants // -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/classes/-" { - permission java.security.AllPermission; -// permission java.io.FilePermission "${catalina.base}/logs", "read, write"; -// permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; -// permission java.io.FilePermission "${catalina.base}/logs/*", "delete"; -// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; -// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/-" { - // the log4j configuration might want to write logs to ${catalina.base}/logs/bkuonline.log +grant codeBase "file:${catalina.base}/webapps/bkuonline/-" { permission java.io.FilePermission "${catalina.base}/logs", "read, write"; permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; permission java.io.FilePermission "${catalina.base}/logs/*", "delete"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.10.jar" { - permission java.util.PropertyPermission "*", "read"; - permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; - permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; -// permission java.net.SocketPermission "localhost:8080", "connect, resolve"; - permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.10.jar" { - permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; - permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; - permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.io.FilePermission "../conf/secret.xml", "read"; + // DataURLs permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve"; + + // other resources (crls, persb.xsl, ...) permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; + permission java.net.SocketPermission "ocsp.a-trust.at:80", "connect, resolve"; permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; // permission java.net.SocketPermission "localhost:8080", "connect, resolve"; - permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; - permission java.net.NetPermission "specifyStreamHandler"; - permission java.util.PropertyPermission "*", "read, write"; +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; + permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; @@ -111,143 +92,127 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1. // XMLDSig is moved backwards by XSECT permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "removeProvider.XMLDSig"; + + permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "getProtectionDomain"; + //bkucommon,pki permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + //jax-ws jaxb + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + //permission java.lang.RuntimePermission "modifyThread"; + //permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.net.NetPermission "specifyStreamHandler"; +}; + +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/classes/-" { +// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; +// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; + + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar" { +// permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar" { + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.io.FilePermission "${catalina.base}/temp/*", "read, write"; +// permission java.io.FilePermission "../conf/secret.xml", "read"; permission java.util.PropertyPermission "*", "read, write"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; - permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_ecc_signed-2.15.jar" { - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { + permission java.util.PropertyPermission "*", "read, write"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_xsect-1.14.jar" { permission java.util.PropertyPermission "*", "read, write"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; - permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; - permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; - permission java.net.NetPermission "specifyStreamHandler"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + //permission java.net.NetPermission "specifyStreamHandler"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar" { permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read"; - permission java.util.PropertyPermission "*", "read"; - permission java.lang.RuntimePermission "getClassLoader"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/serializer-2.7.1.jar" { - permission java.util.PropertyPermission "*", "read"; - permission java.lang.RuntimePermission "getClassLoader"; + //permission java.lang.RuntimePermission "getClassLoader"; }; // allow xsl:include from the specified URL -grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" { - permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; -}; +//grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" { +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; +//}; // allow XSLT document function to reference the specified URL -grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" { - permission java.io.FilePermission "../conf/secret.xml", "read"; -}; +//grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" { +// permission java.io.FilePermission "../conf/secret.xml", "read"; +//}; // use tomcat/jre endorsed xerces instead grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xercesImpl-2.9.1.jar" { permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read"; // permission java.io.FilePermission "../conf/secret.xml", "read"; // permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; - permission java.util.PropertyPermission "*", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-logging-1.1.1.jar" { - permission java.util.PropertyPermission "org.apache.commons.logging.*", "read"; - permission java.util.PropertyPermission "log4j.*", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; - permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/log4j-1.2.12.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/log4j.properties", "read"; - // allow log4j to read its own properties - permission java.util.PropertyPermission "log4j.*", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-core-2.5.5.jar" { - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "modifyThread"; }; + grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-web-2.5.5.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.STAL"; - permission java.security.SecurityPermission "putProviderProperty.STAL"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; permission java.util.PropertyPermission "*", "read, write"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "setFactory"; - permission java.lang.RuntimePermission "getProtectionDomain"; + //permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; + grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-beans-2.5.5.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.STAL"; - permission java.security.SecurityPermission "putProviderProperty.STAL"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; permission java.util.PropertyPermission "*", "read, write"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; @@ -257,19 +222,8 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-conte permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.STAL"; - permission java.security.SecurityPermission "putProviderProperty.STAL"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; permission java.util.PropertyPermission "*", "read, write"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "getProtectionDomain"; @@ -280,20 +234,21 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-conte grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxws-rt-2.1.5.jar" { // need write access to set disableCaptureStackTrace and HttpAdapter.dump permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write"; - permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; - permission java.util.PropertyPermission "javax.xml.soap.*", "read"; - permission java.util.PropertyPermission "javax.activation.*", "read"; - permission java.util.PropertyPermission "xml.catalog.*", "read"; - permission java.util.PropertyPermission "user.dir", "read"; - permission java.util.PropertyPermission "user.home", "read"; + //permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; + //permission java.util.PropertyPermission "javax.xml.soap.*", "read"; + //permission java.util.PropertyPermission "javax.activation.*", "read"; + //permission java.util.PropertyPermission "xml.catalog.*", "read"; + //permission java.util.PropertyPermission "user.dir", "read"; + //permission java.util.PropertyPermission "user.home", "read"; permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read"; permission java.io.FilePermission "${java.home}/lib/mailcap", "read"; permission java.io.FilePermission "${user.home}/.mailcap", "read"; permission java.io.FilePermission "basename", "read"; permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.io.FilePermission "${catalina.home}/temp/xcatalog", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; permission java.lang.RuntimePermission "setContextClassLoader"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean"; @@ -302,18 +257,16 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxws-rt-2.1 }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxb-impl-2.1.9.jar" { + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; - permission java.util.PropertyPermission "user.dir", "read"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-httpclient-3.1.jar" { - permission java.util.PropertyPermission "*", "read"; +// permission java.lang.RuntimePermission "accessDeclaredMembers"; +// permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; +// permission java.util.PropertyPermission "user.dir", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; }; // ======== NETBEANS -//grant codeBase "file:${catalina.base}/nblib/-" { -// permission java.security.AllPermission; -//}; \ No newline at end of file +grant codeBase "file:${catalina.base}/nblib/-" { + permission java.security.AllPermission; +}; \ No newline at end of file diff --git a/BKUOnline/src/main/policy/catalina.policy b/BKUOnline/src/main/policy/catalina.policy new file mode 100644 index 00000000..2dfb198f --- /dev/null +++ b/BKUOnline/src/main/policy/catalina.policy @@ -0,0 +1,411 @@ +// Copyright 2008 Federal Chancellery Austria and +// Graz University of Technology +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +// ========================================================================= +// || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION +// ========================================================================= +// +// ========================================================================= +// || This file contains all default permissions from $CATALINA_HOME/conf/catalina.policy +// || and codebase paths to development dirs (for in-place deployment of IDEs) +// ========================================================================= +// +// (set -Djava.security.debug=access,failure and search for "denied" (failed)) +// (-Djava.net.preferIPv4Stack=true) +// +// ========== MOCCA CODE PERMISSIONS ======================================= +// +// replace ${catalina.base}/webapps/bkuonline +// with ${catalina.base}/webapps/ +// replace ${catalina.base}/work/Catalina/localhost/bkuonline +// with ${catalina.base}/work/Catalina/localhost/ (the path to the compiled JSPs, excl. package dir: org/apache/jsp/) +// replace version info in +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/BKUViewer-1.2.12.jar" { +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar and +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar +// with current version +// replace www.sozialversicherung.gv.at:443 +// with +// replace localhost:8080 +// with +// replace www.xslt-stylesheet-include-url.org:80 +// with +// replace ../conf/secret.xml +// with +// +// replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at +// with +// replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80 +// with (OCSP, CRLs) +// + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the logging API +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.util.PropertyPermission "java.util.logging.config.class", "read"; + permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; + permission java.lang.RuntimePermission "shutdownHooks"; + permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; + permission java.util.logging.LoggingPermission "control"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + permission java.lang.RuntimePermission "getClassLoader"; + + // added by clemenso (for manager webapp) + permission java.lang.RuntimePermission "setContextClassLoader"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + + // To enable per context logging configuration, permit read access to the appropriate file. + // Be sure that the logging configuration is secure before enabling such access + // eg for the examples web application: + // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { + permission java.security.AllPermission; +}; + + +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // Precompiled JSPs need access to this package. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + + // Precompiled JSPs need access to this system property. + permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + +}; + + + + + + + + +// =========== container grants required by MOCCA +// +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/logging.properties", "read"; + // (for manager webapp) + permission java.lang.RuntimePermission "setContextClassLoader"; +}; + +grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" { + permission java.io.FilePermission "/helpfiles/-", "read"; + permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime"; +}; + +// =========== MOCCA grants +// +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/-" { + permission java.io.FilePermission "${catalina.base}/logs", "read, write"; + permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; + permission java.io.FilePermission "${catalina.base}/logs/*", "delete"; + + // DataURLs + permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve"; + + // other resources (crls, persb.xsl, ...) + permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; + permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; + permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; + permission java.net.SocketPermission "ocsp.a-trust.at:80", "connect, resolve"; + permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; +// permission java.net.SocketPermission "localhost:8080", "connect, resolve"; +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; + + permission java.security.SecurityPermission "insertProvider.IAIK"; + permission java.security.SecurityPermission "putProviderProperty.IAIK"; + permission java.security.SecurityPermission "removeProvider.IAIK"; + permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; + permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; + permission java.security.SecurityPermission "insertProvider.XSECT"; + permission java.security.SecurityPermission "putProviderProperty.XSECT"; + permission java.security.SecurityPermission "insertProvider.STAL"; + permission java.security.SecurityPermission "putProviderProperty.STAL"; + // XMLDSig is moved backwards by XSECT + permission java.security.SecurityPermission "insertProvider.XMLDSig"; + permission java.security.SecurityPermission "removeProvider.XMLDSig"; + + permission java.util.PropertyPermission "*", "read"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "getClassLoader"; + permission java.lang.RuntimePermission "getProtectionDomain"; + //bkucommon,pki + permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + //jax-ws jaxb + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + //permission java.lang.RuntimePermission "modifyThread"; + //permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.net.NetPermission "specifyStreamHandler"; + + //jaxb + //permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/-" { +// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; +// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; + + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/utils-1.2.12-pinguin-1-SNAPSHOT.jar" { +// permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/bkucommon-1.2.12-pinguin-1-SNAPSHOT.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.io.FilePermission "${catalina.base}/temp/*", "read, write"; +// permission java.io.FilePermission "../conf/secret.xml", "read"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { + permission java.util.PropertyPermission "*", "read, write"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_xsect-1.14.jar" { + permission java.util.PropertyPermission "*", "read, write"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + //permission java.net.NetPermission "specifyStreamHandler"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar" { + permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read"; + //permission java.lang.RuntimePermission "getClassLoader"; +}; + +// allow xsl:include from the specified URL +//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" { +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; +//}; + +// allow XSLT document function to reference the specified URL +//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" { +// permission java.io.FilePermission "../conf/secret.xml", "read"; +//}; + +// use tomcat/jre endorsed xerces instead +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xercesImpl-2.9.1.jar" { + permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read"; +// permission java.io.FilePermission "../conf/secret.xml", "read"; +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/commons-logging-1.1.1.jar" { + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/log4j-1.2.12.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/log4j.properties", "read"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-core-2.5.5.jar" { + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "modifyThread"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-web-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.util.PropertyPermission "*", "read, write"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + //permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-beans-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.util.PropertyPermission "*", "read, write"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-context-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.util.PropertyPermission "*", "read, write"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxws-rt-2.1.5.jar" { + // need write access to set disableCaptureStackTrace and HttpAdapter.dump + permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write"; + //permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; + //permission java.util.PropertyPermission "javax.xml.soap.*", "read"; + //permission java.util.PropertyPermission "javax.activation.*", "read"; + //permission java.util.PropertyPermission "xml.catalog.*", "read"; + //permission java.util.PropertyPermission "user.dir", "read"; + //permission java.util.PropertyPermission "user.home", "read"; + permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read"; + permission java.io.FilePermission "${java.home}/lib/mailcap", "read"; + permission java.io.FilePermission "${user.home}/.mailcap", "read"; + permission java.io.FilePermission "basename", "read"; + permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read"; + permission java.io.FilePermission "${catalina.home}/temp/xcatalog", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.lang.RuntimePermission "setContextClassLoader"; + permission javax.management.MBeanServerPermission "createMBeanServer"; + permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean"; + permission javax.management.MBeanTrustPermission "register"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxb-impl-2.1.9.jar" { + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +// permission java.lang.RuntimePermission "accessDeclaredMembers"; +// permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; +// permission java.util.PropertyPermission "user.dir", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; +}; + +// ======== NETBEANS + +grant codeBase "file:${catalina.base}/nblib/-" { + permission java.security.AllPermission; +}; \ No newline at end of file diff --git a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml deleted file mode 100644 index f8d1411c..00000000 --- a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml +++ /dev/null @@ -1,84 +0,0 @@ - - - - - - - - - - - allow - - confirm - - - - - - - - - certifiedGovAgency - - allow - - confirm - - - anonymous - - Command - - - - - - - - certified - - IdentityLink - derived - - - allow - - confirm - - - anonymous - - IdentityLink - - - deny - - info - - - - allow - - - - - - diff --git a/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/PersonData.xsd b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/PersonData.xsd new file mode 100644 index 00000000..3d59a2b1 --- /dev/null +++ b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/PersonData.xsd @@ -0,0 +1,57 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd new file mode 100644 index 00000000..5518db2f --- /dev/null +++ b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd @@ -0,0 +1,105 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd new file mode 100644 index 00000000..8422fdfa --- /dev/null +++ b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd @@ -0,0 +1,308 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd new file mode 100644 index 00000000..52856ae6 --- /dev/null +++ b/BKUOnline/src/main/resources/at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd @@ -0,0 +1,147 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/BKUOnline/src/main/resources/commons-logging.properties b/BKUOnline/src/main/resources/commons-logging.properties deleted file mode 100644 index 0d497b1b..00000000 --- a/BKUOnline/src/main/resources/commons-logging.properties +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2008 Federal Chancellery Austria and -# Graz University of Technology -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -org.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger diff --git a/BKUOnline/src/main/resources/log4j.properties b/BKUOnline/src/main/resources/log4j.properties index d4a03fe7..e3012f35 100644 --- a/BKUOnline/src/main/resources/log4j.properties +++ b/BKUOnline/src/main/resources/log4j.properties @@ -14,9 +14,10 @@ # limitations under the License. -#log4j.rootLogger=DEBUG, STDOUT, file -log4j.rootLogger=INFO, file +log4j.rootLogger=INFO, STDOUT, file +#log4j.rootLogger=DEBUG, file #log4j.logger.at.gv=TRACE +log4j.logger.org.springframework=INFO # STDOUT appender @@ -24,7 +25,7 @@ log4j.appender.STDOUT=org.apache.log4j.ConsoleAppender log4j.appender.STDOUT.layout=org.apache.log4j.PatternLayout #log4j.appender.STDOUT.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %20c | %10t | %m%n #log4j.appender.STDOUT.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n -log4j.appender.STDOUT.layout.ConversionPattern=%-5p | %t | %c %x - %m%n +log4j.appender.STDOUT.layout.ConversionPattern=...%-0.6X{id} %-5p | %t | %c - %m%n # FILE appender log4j.appender.file=org.apache.log4j.RollingFileAppender diff --git a/BKUOnline/src/main/webapp/IDRequestForm.html b/BKUOnline/src/main/webapp/IDRequestForm.html new file mode 100644 index 00000000..2682df4d --- /dev/null +++ b/BKUOnline/src/main/webapp/IDRequestForm.html @@ -0,0 +1,71 @@ + + + + + ID Request Form + + + + + + +

ID Request Form

+
+
ID Request +

+
+
+
+ + + diff --git a/BKUOnline/src/main/webapp/PINManagement.jsp b/BKUOnline/src/main/webapp/PINManagement.jsp index 3555f99e..d5f71862 100644 --- a/BKUOnline/src/main/webapp/PINManagement.jsp +++ b/BKUOnline/src/main/webapp/PINManagement.jsp @@ -49,11 +49,43 @@ } String backgroundImg = request.getParameter("appletBackground"); %> - + + +
+ + +
+ + + + +
+ + +
+ + + + +
+ +
+ + + + + + + + +
+ + +
diff --git a/BKUOnline/src/main/webapp/SLRequestForm.html b/BKUOnline/src/main/webapp/SLRequestForm.html index 2de652a7..2a372d83 100644 --- a/BKUOnline/src/main/webapp/SLRequestForm.html +++ b/BKUOnline/src/main/webapp/SLRequestForm.html @@ -73,7 +73,7 @@

Security-Layer v1.2 Request Formular

-

Enter XML Request @@ -186,8 +186,8 @@

- Default - Alternative + Default + Alternative

- + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - + + + + + + + + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + - - - + + + + + + + + - - - - - - + - - - - - - - - - - - + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml b/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml new file mode 100644 index 00000000..20d27bb0 --- /dev/null +++ b/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml @@ -0,0 +1,10 @@ + + + + + 50 + + \ No newline at end of file diff --git a/BKUOnline/src/main/webapp/WEB-INF/mocca-conf.xml b/BKUOnline/src/main/webapp/WEB-INF/mocca-conf.xml deleted file mode 100644 index 5c96dc58..00000000 --- a/BKUOnline/src/main/webapp/WEB-INF/mocca-conf.xml +++ /dev/null @@ -1,51 +0,0 @@ - - - - - - - - - - - - - - - - - - diff --git a/BKUOnline/src/main/webapp/WEB-INF/web.xml b/BKUOnline/src/main/webapp/WEB-INF/web.xml index 41cd400f..13ed30ee 100644 --- a/BKUOnline/src/main/webapp/WEB-INF/web.xml +++ b/BKUOnline/src/main/webapp/WEB-INF/web.xml @@ -15,19 +15,23 @@ http-security-layer-request - - - contextConfigLocation - /WEB-INF/applicationContext.xml - - org.springframework.web.context.ContextLoaderListener + at.gv.egiz.bku.online.webapp.MoccaContextListener + + + + org.springframework.web.context.ContextLoaderListener + + + configurationResource + + - at.gv.egiz.bku.online.webapp.SessionTimeout + at.gv.egiz.bku.online.webapp.SessionListener com.sun.xml.ws.transport.http.servlet.WSServletContextListener @@ -36,6 +40,14 @@ BKUServlet at.gv.egiz.bku.online.webapp.BKURequestHandler + + SAMLServlet + at.gv.egiz.mocca.id.SAMLRequestHandler + + + DataURLServlet + at.gv.egiz.mocca.id.DataURLServerServlet + ResultServlet at.gv.egiz.bku.online.webapp.ResultServlet @@ -45,31 +57,39 @@ expiredPage - expired.html - - BKUApplet - /applet.jsp - - - STALService - com.sun.xml.ws.transport.http.servlet.WSServlet - 1 - - - BKUServlet - /http-security-layer-request - + + STALService + com.sun.xml.ws.transport.http.servlet.WSServlet + 1 + + + BKUServlet + /http-security-layer-request + BKUServlet /https-security-layer-request + + DataURLServlet + /DataURLServer + ResultServlet /bkuResult + + SAMLServlet + /moccaid + + + DataURLServlet + /DataURLServer + + + + + + + +
+ + + + +
+ + + +
+ + + + + + + + +
+ + + + + + + + + + + diff --git a/BKUOnline/src/main/webapp/img/dec.png b/BKUOnline/src/main/webapp/img/dec.png new file mode 100644 index 00000000..87693cf4 Binary files /dev/null and b/BKUOnline/src/main/webapp/img/dec.png differ diff --git a/BKUOnline/src/main/webapp/img/help.png b/BKUOnline/src/main/webapp/img/help.png new file mode 100644 index 00000000..5d6da3bf Binary files /dev/null and b/BKUOnline/src/main/webapp/img/help.png differ diff --git a/BKUOnline/src/main/webapp/img/inc.png b/BKUOnline/src/main/webapp/img/inc.png new file mode 100644 index 00000000..26e58b80 Binary files /dev/null and b/BKUOnline/src/main/webapp/img/inc.png differ diff --git a/BKUOnline/src/main/webapp/local.jsp b/BKUOnline/src/main/webapp/local.jsp new file mode 100644 index 00000000..48d62674 --- /dev/null +++ b/BKUOnline/src/main/webapp/local.jsp @@ -0,0 +1,63 @@ + +<%@ page language="java" contentType="text/html; charset=UTF-8" + pageEncoding="UTF-8" + import="at.gv.egiz.bku.online.webapp.AppletDispatcher,org.apache.commons.lang.RandomStringUtils,org.apache.commons.lang.StringEscapeUtils" %> + + + + + + MOCCA + + + + + + + + <% + int width = session.getAttribute("appletWidth") == null ? 190 + : (Integer) session.getAttribute("appletWidth"); + int height = session.getAttribute("appletHeight") == null ? 130 + : (Integer) session.getAttribute("appletHeight"); + String backgroundImg = StringEscapeUtils.escapeJavaScript(session + .getAttribute("appletBackground") == null ? "../img/chip32.png" + : (String) session.getAttribute("appletBackground")); + String backgroundColor = StringEscapeUtils + .escapeJavaScript((String) session + .getAttribute("appletBackgroundColor")); + + String sessionId = StringEscapeUtils.escapeJavaScript(session.getId()); + + String dataURL = request.getRequestURL().toString(); + dataURL = dataURL.substring(0, dataURL.lastIndexOf('/')) + "/DataURLServer"; + %> + +
+
+ + + +

Anfrage wird an lokale BKU gesendet

+
+ +
+
+
+ + diff --git a/BKUOnline/src/test/java/at/gv/egiz/bku/online/conf/SSLConfigTest.java b/BKUOnline/src/test/java/at/gv/egiz/bku/online/conf/SSLConfigTest.java deleted file mode 100644 index eefaf5b6..00000000 --- a/BKUOnline/src/test/java/at/gv/egiz/bku/online/conf/SSLConfigTest.java +++ /dev/null @@ -1,40 +0,0 @@ -package at.gv.egiz.bku.online.conf; - -import java.net.URL; - -import javax.net.ssl.HttpsURLConnection; - -import org.junit.After; -import org.junit.Before; -import org.junit.Ignore; -import org.junit.Test; -import org.springframework.context.ApplicationContext; -import org.springframework.context.support.ClassPathXmlApplicationContext; - -@Ignore -public class SSLConfigTest { - - private SpringConfigurator cfg; - private ApplicationContext ctx; - - @Before - public void setUp() throws Exception { - ctx = new ClassPathXmlApplicationContext("applicationContext.xml"); - - } - - @Ignore - @Test - public void testConnect() throws Exception { - String url = "https://apps.egiz.gv.at/exchange-moa-id-auth/VerifyIdentityLink?MOASessionID=8151862969943601574"; - URL u = new URL(url); - HttpsURLConnection uc = (HttpsURLConnection) u.openConnection(); - uc.connect(); - System.out.println(uc.getCipherSuite()); - } - - @After - public void shutDown() { - - } -} diff --git a/BKUOnline/src/test/java/at/gv/egiz/stal/service/STALRequestBrokerTest.java b/BKUOnline/src/test/java/at/gv/egiz/stal/service/STALRequestBrokerTest.java index 741974eb..da816d48 100644 --- a/BKUOnline/src/test/java/at/gv/egiz/stal/service/STALRequestBrokerTest.java +++ b/BKUOnline/src/test/java/at/gv/egiz/stal/service/STALRequestBrokerTest.java @@ -47,11 +47,11 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; import javax.xml.bind.JAXBElement; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; import org.junit.BeforeClass; import org.junit.Ignore; import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import static org.junit.Assert.*; @@ -62,11 +62,12 @@ import static org.junit.Assert.*; @Ignore public class STALRequestBrokerTest { - private static final Log log = LogFactory.getLog(STALRequestBrokerTest.class); + private final Logger log = LoggerFactory.getLogger(STALRequestBrokerTest.class); protected static STALRequestBroker stal; @BeforeClass public static void setUp() { + Logger log = LoggerFactory.getLogger(STALRequestBrokerTest.class); RequestBrokerSTALFactory fac = new RequestBrokerSTALFactory(); stal = (STALRequestBrokerImpl) fac.createSTAL(); log.debug("Created STAL " + stal.getClass().getName()); diff --git a/BKUOnline/src/test/resources/commons-logging.properties b/BKUOnline/src/test/resources/commons-logging.properties deleted file mode 100644 index 0d497b1b..00000000 --- a/BKUOnline/src/test/resources/commons-logging.properties +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2008 Federal Chancellery Austria and -# Graz University of Technology -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -org.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger diff --git a/BKUOnline/src/test/resources/templates/empty.xml b/BKUOnline/src/test/resources/templates/empty.xml new file mode 100644 index 00000000..5381ac6c --- /dev/null +++ b/BKUOnline/src/test/resources/templates/empty.xml @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/BKUOnline/src/test/resources/templates/template.xsl b/BKUOnline/src/test/resources/templates/template.xsl new file mode 100644 index 00000000..6ec73a42 --- /dev/null +++ b/BKUOnline/src/test/resources/templates/template.xsl @@ -0,0 +1,88 @@ + + + + + + + + + + + + + + + Signatur der Anmeldedaten + + + +

Anmeldedaten:

+ +

Daten zur Person

+ + + + + + + + + + + + + +
Name: + + + +
Geburtsdatum: + +
+ +

Technische Parameter

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URL:
Bereich:
Identifikator: +
Datum + +
Uhrzeit + +
+ + + + -- cgit v1.2.3