Author: prabath
Date: Tue Mar 11 23:25:27 2008
New Revision: 14722
Log:
PAPE phishing resistant authentication
Modified:
trunk/solutions/identity/modules/base/src/main/java/org/wso2/solutions/identity/IdentityConstants.java
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDUtil.java
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/extensions/OpenIDPape.java
trunk/solutions/identity/modules/user-ui/src/main/java/org/wso2/solutions/identity/user/ui/action/OpenIDAuthenticationAction.java
trunk/solutions/identity/modules/user-ui/src/main/webapp/jsp/openidauthentication.jsp
Modified:
trunk/solutions/identity/modules/base/src/main/java/org/wso2/solutions/identity/IdentityConstants.java
==============================================================================
---
trunk/solutions/identity/modules/base/src/main/java/org/wso2/solutions/identity/IdentityConstants.java
(original)
+++
trunk/solutions/identity/modules/base/src/main/java/org/wso2/solutions/identity/IdentityConstants.java
Tue Mar 11 23:25:27 2008
@@ -164,6 +164,9 @@
public final static String AUTH_POLICIES =
"auth_policies";
public final static String NIST_AUTH_LEVEL =
"nist_auth_level";
public final static String AUTH_AGE = "auth_age";
+ public final static String PHISHING_RESISTANCE =
"http://schemas.openid.net/pape/policies/2007/06/phishing-resistant";;
+ public final static String MULTI_FACTOR =
"http://schemas.openid.net/pape/policies/2007/06/multi-factor";;
+ public final static String MULTI_FACTOR_PHYSICAL =
"http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical";;
}
public static class SimpleRegAttributes {
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDUtil.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDUtil.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDUtil.java
Tue Mar 11 23:25:27 2008
@@ -15,10 +15,14 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.openid4java.message.AuthRequest;
+import org.openid4java.message.MessageException;
+import org.openid4java.message.ParameterList;
import org.openid4java.server.ServerException;
import org.wso2.solutions.identity.IdentityConstants;
import org.wso2.solutions.identity.IdentityProviderException;
import org.wso2.solutions.identity.UserStore;
+import org.wso2.solutions.identity.openid.extensions.OpenIDPape;
import org.wso2.utils.ServerConfiguration;
public class OpenIDUtil {
@@ -246,7 +250,7 @@
IdentityConstants.ErrorCodes.INVALID_OPENID_RETURNTO);
}
}
-
+
/**
* This provides a mapping between http://schema.openid.net/ and
* http://axschema.org
@@ -260,4 +264,25 @@
return val;
}
+
+ /**
+ *
+ * @param params
+ * @return
+ * @throws IdentityProviderException
+ */
+ public static String[] getRequestedAuthenticationPolicies(
+ ParameterList params) throws IdentityProviderException {
+ // Process an authentication request.
+ try {
+ AuthRequest authReq = AuthRequest.createAuthRequest(params,
+ OpenIDProvider.getManager().getRealmVerifier());
+ return OpenIDPape.getAuthenticationPolicies(authReq);
+ } catch (MessageException e) {
+ throw new IdentityProviderException(
+ IdentityConstants.ErrorCodes.OPENID_RESP_GENERATION_FAILED,
+ e);
+ }
+ }
+
}
\ No newline at end of file
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/extensions/OpenIDPape.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/extensions/OpenIDPape.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/extensions/OpenIDPape.java
Tue Mar 11 23:25:27 2008
@@ -1,5 +1,7 @@
package org.wso2.solutions.identity.openid.extensions;
+import java.util.List;
+
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.openid4java.message.AuthRequest;
@@ -37,9 +39,9 @@
String profileName) throws IdentityProviderException {
MessageExtension message = null;
- //PapeRequest papeRequest = null;
+ // PapeRequest papeRequest = null;
PapeResponse papeResponse = null;
- //List preferredPolicies = null;
+ // List preferredPolicies = null;
AuthRequest authRequest = null;
try {
@@ -47,11 +49,12 @@
message = authRequest.getExtension(PapeMessage.OPENID_NS_PAPE);
if (message instanceof PapeRequest) {
- //papeRequest = (PapeRequest) message;
- //preferredPolicies =
papeRequest.getPreferredAuthPoliciesList();
+ // papeRequest = (PapeRequest) message;
+ // preferredPolicies =
+ // papeRequest.getPreferredAuthPoliciesList();
papeResponse = PapeResponse.createPapeResponse();
papeResponse.setNistAuthLevel(1);
- //TODO: papeResponse.setAuthAge(1);
+ // TODO: papeResponse.setAuthAge(1);
if (request.isPhishingResistanceLogin())
papeResponse
@@ -72,4 +75,37 @@
return papeResponse;
}
+
+ /**
+ *
+ * @param authRequest
+ * @return
+ * @throws IdentityProviderException
+ */
+ public static String[] getAuthenticationPolicies(AuthRequest authRequest)
+ throws IdentityProviderException {
+
+ MessageExtension message = null;
+ PapeRequest papeRequest = null;
+ List preferredPolicies = null;
+
+ try {
+
+ message = authRequest.getExtension(PapeMessage.OPENID_NS_PAPE);
+
+ if (message instanceof PapeRequest) {
+ papeRequest = (PapeRequest) message;
+ preferredPolicies = papeRequest.getPreferredAuthPoliciesList();
+ return (String[]) preferredPolicies
+ .toArray(new String[preferredPolicies.size()]);
+ }
+
+ return null;
+
+ } catch (MessageException e) {
+ throw new IdentityProviderException(
+ IdentityConstants.ErrorCodes.OPENID_RESP_GENERATION_FAILED,
+ e);
+ }
+ }
}
\ No newline at end of file
Modified:
trunk/solutions/identity/modules/user-ui/src/main/java/org/wso2/solutions/identity/user/ui/action/OpenIDAuthenticationAction.java
==============================================================================
---
trunk/solutions/identity/modules/user-ui/src/main/java/org/wso2/solutions/identity/user/ui/action/OpenIDAuthenticationAction.java
(original)
+++
trunk/solutions/identity/modules/user-ui/src/main/java/org/wso2/solutions/identity/user/ui/action/OpenIDAuthenticationAction.java
Tue Mar 11 23:25:27 2008
@@ -8,6 +8,7 @@
import org.apache.struts2.StrutsStatics;
import org.openid4java.message.ParameterList;
import org.wso2.solutions.identity.IdentityConstants;
+import org.wso2.solutions.identity.openid.OpenIDUtil;
import com.opensymphony.xwork2.ActionContext;
@@ -15,6 +16,12 @@
private static final long serialVersionUID = 2379986821364538695L;
+ public boolean phishingResistanceAuthentication;
+
+ public boolean multiFactorAuthentication;
+
+ public boolean multifactPhysicalAuthentication;
+
/**
* This will get executed during the user's authentication to the OpenID
* Provider
@@ -27,6 +34,7 @@
ParameterList requestParam = null;
HttpSession session = null;
String openID = null;
+ String[] policies = null;
context = ActionContext.getContext();
request = (HttpServletRequest) context.get(StrutsStatics.HTTP_REQUEST);
@@ -47,6 +55,26 @@
return ERROR;
}
+ policies = OpenIDUtil.getRequestedAuthenticationPolicies(requestParam);
+
+ for (String policy : policies) {
+
+ if (policy
+
.equalsIgnoreCase(IdentityConstants.OpenId.PapeAttributes.PHISHING_RESISTANCE))
{
+ phishingResistanceAuthentication = true;
+ }
+
+ if (policy
+
.equalsIgnoreCase(IdentityConstants.OpenId.PapeAttributes.MULTI_FACTOR)) {
+ multiFactorAuthentication = true;
+ }
+
+ if (policy
+
.equalsIgnoreCase(IdentityConstants.OpenId.PapeAttributes.MULTI_FACTOR_PHYSICAL))
{
+ multifactPhysicalAuthentication = true;
+ }
+ }
+
loadMessages();
// Check whether the remember me option is set
@@ -88,4 +116,16 @@
}
return SUCCESS;
}
+
+ public boolean isPhishingResistanceAuthentication() {
+ return phishingResistanceAuthentication;
+ }
+
+ public boolean isMultiFactorAuthentication() {
+ return multiFactorAuthentication;
+ }
+
+ public boolean isMultifactPhysicalAuthentication() {
+ return multifactPhysicalAuthentication;
+ }
}
\ No newline at end of file
Modified:
trunk/solutions/identity/modules/user-ui/src/main/webapp/jsp/openidauthentication.jsp
==============================================================================
---
trunk/solutions/identity/modules/user-ui/src/main/webapp/jsp/openidauthentication.jsp
(original)
+++
trunk/solutions/identity/modules/user-ui/src/main/webapp/jsp/openidauthentication.jsp
Tue Mar 11 23:25:27 2008
@@ -87,53 +87,67 @@
%>
<table>
<tr>
- <td width="40%">
- <table cellpadding="0"
cellspacing="10" border="0"
-
class="form-table">
- <tr>
- <td
colspan="2"><strong>Login with your OpenID
-
password</strong></td>
- </tr>
- <tr>
- <td
width="10%">Password</td>
-
<td><input type="password" name="password"></td>
- </tr>
- <tr>
- <td
align="left" colspan="2"><input type="checkbox"
-
id="chkRemember" onclick="setRememberMe();">Remember
- me on
this computer</td>
- </tr>
- <tr>
- <td
colspan="2"><s:submit value="Login" align="left"
-
cssClass="button" /></td>
- </tr>
-
- </table>
- </td>
-
- <td><img
src="images/line-sep.png" height="150" width="2" /></td>
-
- <td valign="middle"
align="center" width="5%"><strong>OR</strong></td>
-
- <td><img
src="images/line-sep.png" height="150" width="2" /></td>
-
- <td>
- <table cellpadding="40">
- <tr>
-
<td><strong>Login with your self-issued
-
Information Card</strong>
- <div><a
href="OpenIDSelfIssuedLogin.action"
-
title="Login with your Information Card"><img
-
src="images/infocard_114x80.png" align="left"
-
style="margin-right: 10px;" border="0" /></a> you can only login
- with a
personal information card that you have already
-
registered. If you have not registered a personal information
- card
please first login with your username and password and
-
register a card.</div>
+ <s:if
test="%{multifactPhysicalAuthentication}">
+ <td>
+ <table
cellpadding="40">
+ <tr>
+
<td><strong>Sorry, we do not support Multi-Factor-Physical
Authentication</strong></td>
+ </tr>
+ </table>
+ </td>
+ </s:if>
+ <s:else>
+ <s:if
test="%{!phishingResistanceAuthentication}">
+ <td
width="40%">
+ <table
cellpadding="0" cellspacing="10" border="0"
+
class="form-table">
+
<tr>
+
<td colspan="2"><strong>Login with your OpenID
+
password</strong></td>
+
</tr>
+
<tr>
+
<td width="10%">Password</td>
+
<td><input type="password" name="password"></td>
+
</tr>
+
<tr>
+
<td align="left" colspan="2"><input type="checkbox"
+
id="chkRemember" onclick="setRememberMe();">Remember
+
me on this computer</td>
+
</tr>
+
<tr>
+
<td colspan="2"><s:submit value="Login" align="left"
+
cssClass="button" /></td>
+
</tr>
+
+ </table>
</td>
- </tr>
- </table>
- </td>
+
+
<td><img src="images/line-sep.png" height="150" width="2" /></td>
+
+ <td
valign="middle" align="center" width="5%"><strong>OR</strong></td>
+
+
<td><img src="images/line-sep.png" height="150" width="2" /></td>
+
+ </s:if>
+
+ <td>
+ <table
cellpadding="40">
+ <tr>
+
<td><strong>Login with your self-issued
+
Information Card</strong>
+
<div><a href="OpenIDSelfIssuedLogin.action"
+
title="Login with your Information Card"><img
+
src="images/infocard_114x80.png" align="left"
+
style="margin-right: 10px;" border="0" /></a> you can only login
+
with a personal information card that you have already
+
registered. If you have not registered a personal information
+
card please first login with your username and password and
+
register a card.</div>
+
</td>
+ </tr>
+ </table>
+ </td>
+ </s:else>
</tr>
</table>
</s:form></td>
_______________________________________________
Identity-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev
