summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java23
1 files changed, 18 insertions, 5 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java
index 6a5886a7..6d5fdff8 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java
@@ -26,6 +26,8 @@
*******************************************************************************/
package at.gv.egiz.eaaf.modules.pvp2.impl.verification;
+import java.util.List;
+
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
import org.opensaml.ws.transport.http.HTTPInTransport;
@@ -41,13 +43,24 @@ public class PVPAuthRequestSignedRole extends SAML2AuthnRequestsSignedRule {
protected boolean isMessageSigned(SAMLMessageContext messageContext) {
// This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings.
HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport();
- String sigParam = inTransport.getParameterValue("Signature");
- boolean isSigned = !DatatypeHelper.isEmpty(sigParam);
- String sigAlgParam = inTransport.getParameterValue("SigAlg");
- boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam);
+ //Check signature parameter exists only once and is not empty
+ List<String> sigParam = inTransport.getParameterValues("Signature");
+ boolean isValidSigned = sigParam.size() == 1 && !DatatypeHelper.isEmpty(sigParam.get(0));
+
+ //Check signature-algorithm parameter exists only once and is not empty
+ List<String> sigAlgParam = inTransport.getParameterValues("SigAlg");
+ boolean isValidSigAlgExists = sigAlgParam.size() == 1 && !DatatypeHelper.isEmpty(sigAlgParam.get(0));
+
+ //Check signature-content parameter exists only once and is not empty
+ List<String> samlReqParam = inTransport.getParameterValues("SAMLRequest");
+ List<String> samlRespParam = inTransport.getParameterValues("SAMLResponse");
+ boolean isValidContent = ( ( samlReqParam.size() == 1 && !DatatypeHelper.isEmpty(samlReqParam.get(0)) )
+ || ( samlRespParam.size() == 1 && !DatatypeHelper.isEmpty(samlRespParam.get(0)) )
+ ) && !(samlReqParam.size() == 1 && samlRespParam.size() == 1)
+ ;
- return isSigned && isSigAlgExists;
+ return isValidSigned && isValidSigAlgExists && isValidContent;
}
}