Mercurial > dive4elements > river
annotate flys-client/src/main/java/de/intevation/flys/client/server/auth/was/Signature.java @ 4488:5041105d2edd
Check if response code from GGInA is 200 OK
Only parse the GGInA response if the status code is 200 OK. This improves the
error message if GGInA is not available and shows the real reason instead of a
JDOM error while parsing the response.
| author | Björn Ricks <bjoern.ricks@intevation.de> |
|---|---|
| date | Wed, 14 Nov 2012 10:36:21 +0100 |
| parents | 725470fc57d2 |
| children |
| rev | line source |
|---|---|
|
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
1 package de.intevation.flys.client.server.auth.was; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
2 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
3 import java.io.ByteArrayInputStream; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
4 import java.security.cert.Certificate; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
5 import java.security.cert.CertificateException; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
6 import java.security.cert.CertificateFactory; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
7 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
8 import org.apache.commons.codec.binary.Base64; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
9 import org.apache.log4j.Logger; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
10 import org.jdom.Element; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
11 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
12 public class Signature { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
13 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
14 private static Logger logger = Logger.getLogger(Signature.class); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
15 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
16 private static final String XML_SIG_DIGEST_SHA1 = |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
17 "http://www.w3.org/2000/09/xmldsig#sha1"; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
18 private static final String XML_SIG_SIGNATURE_RSA_SHA1 = |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
19 "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
20 |
|
2983
725470fc57d2
Add "Manage themes" button to ChartToolbar and MapToolbar.
Christian Lins <christian.lins@intevation.de>
parents:
2956
diff
changeset
|
21 private final Element signature; |
|
2956
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
22 private Certificate cert; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
23 private byte[] value; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
24 private byte[] digestvalue; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
25 private String reference; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
26 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
27 public Signature(Element signature) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
28 this.signature = signature; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
29 this.parseSignatureInfo(); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
30 this.parseSignatureValue(); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
31 this.parseCertificate(); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
32 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
33 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
34 private void parseSignatureInfo() { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
35 Element signatureinfo = this.signature.getChild("SignedInfo", |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
36 Namespaces.XML_SIG_NS); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
37 if (signatureinfo != null) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
38 Element signaturemethod = signatureinfo.getChild("SignatureMethod", |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
39 Namespaces.XML_SIG_NS); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
40 String algorithm = signaturemethod.getAttributeValue("Algorithm"); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
41 if (!algorithm.equals(XML_SIG_SIGNATURE_RSA_SHA1)) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
42 logger.warn("Unkown signature alorithm " + algorithm); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
43 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
44 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
45 // There could be several references in XML-Sig spec but for me it |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
46 // doesn't make sense to have more then one in a SAML Assertion |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
47 Element reference = signatureinfo.getChild("Reference", |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
48 Namespaces.XML_SIG_NS); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
49 // reference must be present but its better to check |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
50 if (reference != null) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
51 String digestvalue = reference.getChildText("DigestValue", |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
52 Namespaces.XML_SIG_NS); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
53 String digestmethod = reference.getChildText("DigestMethod", |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
54 Namespaces.XML_SIG_NS); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
55 if (!digestmethod.equals(XML_SIG_DIGEST_SHA1)) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
56 logger.warn("Unknown digest method " + digestmethod); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
57 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
58 this.digestvalue = Base64.decodeBase64(digestvalue); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
59 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
60 String referenceuri = reference.getAttributeValue("URI"); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
61 if (referenceuri.startsWith("#")) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
62 this.reference = referenceuri.substring(1); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
63 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
64 else { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
65 logger.warn("Unkown reference type " + referenceuri); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
66 this.reference = referenceuri; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
67 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
68 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
69 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
70 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
71 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
72 private void parseSignatureValue() { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
73 String signaturevalue = this.signature.getChildText("SignatureValue", |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
74 Namespaces.XML_SIG_NS); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
75 this.value = Base64.decodeBase64(signaturevalue); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
76 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
77 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
78 private void parseCertificate() { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
79 Element keyinfo = this.signature.getChild("KeyInfo", |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
80 Namespaces.XML_SIG_NS); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
81 if (keyinfo != null) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
82 Element data = keyinfo.getChild("X509Data", Namespaces.XML_SIG_NS); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
83 if (data != null) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
84 String base64cert = data.getChildText("X509Certificate", |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
85 Namespaces.XML_SIG_NS); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
86 if (base64cert != null) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
87 byte[] bytes = Base64.decodeBase64(base64cert); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
88 try { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
89 CertificateFactory cf = CertificateFactory.getInstance( |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
90 "X.509"); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
91 this.cert = cf.generateCertificate( |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
92 new ByteArrayInputStream(bytes)); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
93 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
94 catch(CertificateException e) { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
95 // should never occur |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
96 logger.error(e); |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
97 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
98 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
99 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
100 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
101 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
102 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
103 public Certificate getCertificate() { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
104 return this.cert; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
105 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
106 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
107 public byte[] getValue() { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
108 return this.value; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
109 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
110 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
111 public String getReference() { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
112 // In theory there could be several references with digestvalues, ... |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
113 return this.reference; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
114 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
115 |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
116 public byte[] getDigestValue() { |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
117 return this.digestvalue; |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
118 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
119 } |
|
d7f76f197d89
Refactor GGInA authentication
Bjoern Ricks <bjoern.ricks@intevation.de>
parents:
diff
changeset
|
120 // vim: set si et fileencoding=utf-8 ts=4 sw=4 tw=80: |