diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-02-10 13:13:48 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-02-10 13:13:48 +0100 |
commit | 8b29eb9a19c4dcf6e30e34e41b8c6db61a21adb6 (patch) | |
tree | 782b07c818bffa60068a3409477f198d953aaf39 | |
parent | 3f752412b85561e4207cd6fd7c2872da68e5133f (diff) | |
parent | d1a26145ba00478249a8f006d74be49f857b1f34 (diff) | |
download | moa-id-spss-8b29eb9a19c4dcf6e30e34e41b8c6db61a21adb6.tar.gz moa-id-spss-8b29eb9a19c4dcf6e30e34e41b8c6db61a21adb6.tar.bz2 moa-id-spss-8b29eb9a19c4dcf6e30e34e41b8c6db61a21adb6.zip |
Merge branch 'moa-id-3.0.0-snapshot' into moa-id-3.2_(OPB)
Conflicts:
id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
5 files changed, 22 insertions, 6 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index 2b816ed4c..0a07fc4a7 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -246,6 +246,10 @@ public class DOMUtils { parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false); parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false); parser.setFeature(EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); + + //fix XXE problem + parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + if (validating) { if (externalSchemaLocations != null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java index 8add03da7..712ebb731 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java @@ -59,6 +59,12 @@ public class FinalizeAuthenticationTask extends AbstractAuthServletTask { IRequest pendingReq = RequestStorage.getPendingRequest( (String) executionContext.get("pendingRequestID")); + if (pendingReq == null) { + Logger.info("No PendingRequest with Id: " + executionContext.get("pendingRequestID") + " Maybe, a transaction timeout occure."); + throw new MOAIDException("auth.28", new Object[]{executionContext.get("pendingRequestID")}); + + } + //get Session from context String moasessionid = (String) executionContext.get(PARAM_SESSIONID); AuthenticationSession session = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index ee5685e5f..c0ec086ed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -296,6 +296,8 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { } } catch (PVP2Exception e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); throw e; } catch (SecurityPolicyException e) { diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 342d54f7f..abd5d15f3 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -181,7 +181,11 @@ stork.21=1205 pvp2.01=6100 pvp2.06=6100 +pvp2.10=6100 +pvp2.11=6100 +pvp2.12=6100 pvp2.13=9199 +pvp2.15=6105 pvp2.16=6101 pvp2.17=6102 pvp2.20=6103 diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 421d00cbe..5312d779c 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -107,7 +107,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { samlArtifact, ex.toString() }); } Throwable error = null; - synchronized (authenticationDataStore) { + //synchronized (authenticationDataStore) { try { error = authenticationDataStore .get(samlArtifact, Throwable.class); @@ -119,7 +119,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { throw new AuthenticationException("1206", new Object[] { samlArtifact }); } - } + //} return error; } @@ -178,7 +178,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { samlArtifact, ex.toString() }); } String authData = null; - synchronized (authenticationDataStore) { + //synchronized (authenticationDataStore) { // System.out.println("assertionHandle: " + assertionHandle); try { @@ -189,7 +189,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { Logger.error("Assertion not found for SAML Artifact: " + samlArtifact); throw new AuthenticationException("1206", new Object[] { samlArtifact }); } - } + //} authenticationDataStore.remove(samlArtifact); @@ -616,11 +616,11 @@ public class SAML1AuthenticationServer extends AuthenticationServer { new Object[] { samlArtifact }); parser.parseAssertionHandle(); - synchronized (authenticationDataStore) { + //synchronized (authenticationDataStore) { Logger.debug("Assertion stored for SAML Artifact: " + samlArtifact); authenticationDataStore.put(samlArtifact, samlAssertion); - } + //} } catch (AuthenticationException ex) { throw ex; |