at.gv.egovernment.moa.id.auth.servlet.GetMISSessionIDServlet.java Source code

Java tutorial

Introduction

Here is the source code for at.gv.egovernment.moa.id.auth.servlet.GetMISSessionIDServlet.java

Source

/*******************************************************************************
 * Copyright 2014 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 * 
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 * 
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 ******************************************************************************/
/*
 * Copyright 2003 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 */

package at.gv.egovernment.moa.id.auth.servlet;

import iaik.pki.PKIException;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.List;

import javax.net.ssl.SSLSocketFactory;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.parsers.ParserConfigurationException;

import org.apache.commons.lang.StringEscapeUtils;
import org.xml.sax.SAXException;

import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.modules.internal.tasks.GetMISSessionIDTask;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.moduls.ModulUtils;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.id.util.SSLUtils;
import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;

/**
 * Servlet requested for getting the foreign eID provided by the security layer
 * implementation. Utilizes the {@link AuthenticationServer}.
 * @deprecated Use {@link GetMISSessionIDTask} instead.
 */
public class GetMISSessionIDServlet extends AuthServlet {

    /**
     * 
     */
    private static final long serialVersionUID = 4666952867085392597L;

    /**
     * Constructor for GetMISSessionIDServlet.
     */
    public GetMISSessionIDServlet() {
        super();
    }

    /**
     * GET requested by security layer implementation to verify that data URL
     * resource is available.
     * 
     * @see javax.servlet.http.HttpServlet#doGet(HttpServletRequest,
     *      HttpServletResponse)
     */
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        doPost(req, resp);

        // Logger.debug("GET GetMISSessionIDServlet");
        //
        // resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
        // resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
        // resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
        // resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
    }

    /**
     * Gets the signer certificate from the InfoboxReadRequest and responds with
     * a new <code>CreateXMLSignatureRequest</code>. <br>
     * Request parameters:
     * <ul>
     * <li>MOASessionID: ID of associated authentication session</li>
     * <li>XMLResponse: <code>&lt;InfoboxReadResponse&gt;</code></li>
     * </ul>
     * 
     * @see javax.servlet.http.HttpServlet#doPost(HttpServletRequest,
     *      HttpServletResponse)
     */
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        Logger.debug("POST GetMISSessionIDServlet");

        Logger.warn(getClass().getName() + " is deprecated and should not be used any more.");

        resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES, MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
        resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA, MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
        resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
        resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);

        // Map parameters;
        // try
        // {
        // parameters = getParameters(req);
        // } catch (FileUploadException e)
        // {
        // Logger.error("Parsing mulitpart/form-data request parameters failed: "
        // + e.getMessage());
        // throw new IOException(e.getMessage());
        // }

        String sessionID = req.getParameter(PARAM_SESSIONID);

        // escape parameter strings
        sessionID = StringEscapeUtils.escapeHtml(sessionID);

        AuthenticationSession session = null;
        String pendingRequestID = null;
        try {
            // check parameter
            if (!ParamValidatorUtils.isValidSessionID(sessionID))
                throw new WrongParametersException("VerifyCertificate", PARAM_SESSIONID, "auth.12");

            pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);

            session = AuthenticationServer.getSession(sessionID);

            //change MOASessionID
            sessionID = AuthenticationSessionStoreage.changeSessionID(session);

            String misSessionID = session.getMISSessionID();

            AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
            ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();
            SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(),
                    connectionParameters);

            List<MISMandate> list = MISSimpleClient.sendGetMandatesRequest(connectionParameters.getUrl(),
                    misSessionID, sslFactory);

            if (list == null || list.size() == 0) {
                Logger.error("Keine Vollmacht gefunden.");
                throw new AuthenticationException("auth.15", null);
            }

            // for now: list contains only one element
            MISMandate mandate = (MISMandate) list.get(0);

            // TODO[tlenz]: UTF-8 ?
            String sMandate = new String(mandate.getMandate());
            if (sMandate == null || sMandate.compareToIgnoreCase("") == 0) {
                Logger.error("Mandate is empty.");
                throw new AuthenticationException("auth.15", new Object[] { GET_MIS_SESSIONID });
            }

            //check if it is a parsable XML
            byte[] byteMandate = mandate.getMandate();
            // TODO[tlenz]: UTF-8 ?
            String stringMandate = new String(byteMandate);
            DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement();

            // extract RepresentationType
            AuthenticationServer.getInstance().verifyMandate(session, mandate);

            session.setMISMandate(mandate);
            session.setAuthenticatedUsed(false);
            session.setAuthenticated(true);

            //set QAA Level four in case of card authentifcation
            session.setQAALevel(PVPConstants.STORK_QAA_1_4);

            String oldsessionID = session.getSessionID();

            //Session is implicite stored in changeSessionID!!!
            String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);

            Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID);
            Logger.info("Daten angelegt zu MOASession " + newMOASessionID);

            String redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(),
                    ModulUtils.buildAuthURL(session.getModul(), session.getAction(), pendingRequestID),
                    newMOASessionID);
            redirectURL = resp.encodeRedirectURL(redirectURL);

            resp.setContentType("text/html");
            resp.setStatus(302);
            resp.addHeader("Location", redirectURL);
            Logger.debug("REDIRECT TO: " + redirectURL);

        } catch (MOAIDException ex) {
            handleError(null, ex, req, resp, pendingRequestID);

        } catch (GeneralSecurityException ex) {
            handleError(null, ex, req, resp, pendingRequestID);

        } catch (PKIException e) {
            handleError(null, e, req, resp, pendingRequestID);

        } catch (SAXException e) {
            handleError(null, e, req, resp, pendingRequestID);

        } catch (ParserConfigurationException e) {
            handleError(null, e, req, resp, pendingRequestID);

        } catch (Exception e) {
            Logger.error("MISMandateValidation has an interal Error.", e);

        } finally {
            ConfigurationDBUtils.closeSession();
        }
    }

}