aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-06-21 15:35:13 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-06-21 15:35:13 +0200
commit055d4911acee6ab9d989f5a1574bbe9a9ade4404 (patch)
treeb17df11cf584070d902b765dd3dbaa24d7ff27e8
parente96e4e6cc59ce5ae538b44c45ca9a6a83419a911 (diff)
downloadmoa-id-spss-055d4911acee6ab9d989f5a1574bbe9a9ade4404.tar.gz
moa-id-spss-055d4911acee6ab9d989f5a1574bbe9a9ade4404.tar.bz2
moa-id-spss-055d4911acee6ab9d989f5a1574bbe9a9ade4404.zip
fix a request validation problem in eIDAS endpoint
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java20
1 files changed, 15 insertions, 5 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 379a16a96..85fb1626f 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -196,23 +196,33 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
samlReq.setPersonalAttributeList(pendingReq.getEidasRequestedAttributes()); // circumvent non-serializable eidas personal attribute list
pendingReq.setEidasRequest(samlReq);
- //validate destination against metadata
+ //validate Destination against MOA-ID-Auth configuration
String reqDestination = samlReq.getDestination();
- if (MiscUtil.isNotEmpty(reqDestination)) {
+ if (MiscUtil.isEmpty(reqDestination) ||
+ !reqDestination.startsWith(pendingReq.getAuthURL())) {
+ Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
+ throw new eIDASAuthnRequestValidationException("stork.01",
+ new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
+
+ }
+
+ //validate AssertionConsumerServiceURL against metadata
+ String reqAssertionConsumerServiceURL = samlReq.getAssertionConsumerServiceURL();
+ if (MiscUtil.isNotEmpty(reqAssertionConsumerServiceURL)) {
boolean isValid = false;
List<AssertionConsumerService> allowedAssertionConsumerUrl = new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider)
.getSPSSODescriptor(samlReq.getIssuer()).getAssertionConsumerServices();
for (AssertionConsumerService el : allowedAssertionConsumerUrl) {
- if (reqDestination.equals(el.getLocation()))
+ if (reqAssertionConsumerServiceURL.equals(el.getLocation()))
isValid = true;
}
if (!isValid) {
- Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
+ Logger.info("eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute");
throw new eIDASAuthnRequestValidationException("stork.01",
- new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
+ new Object[]{"eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute"});
}
}