aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-04-02 12:14:22 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-04-02 12:14:22 +0200
commitb93dce9835884f005ff262de4882ffbca167fc04 (patch)
treeeed0551650051bca86f9011dfb6961068be2977d /id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
parent07e74546f01f69545b77518e0e651b43a4e04e91 (diff)
downloadmoa-id-spss-b93dce9835884f005ff262de4882ffbca167fc04.tar.gz
moa-id-spss-b93dce9835884f005ff262de4882ffbca167fc04.tar.bz2
moa-id-spss-b93dce9835884f005ff262de4882ffbca167fc04.zip
check response desination URL
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java13
1 files changed, 13 insertions, 0 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index 8004ab520..12bd4aff9 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -290,6 +290,19 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
}
+ //check response destination
+ String serviceURL = config.getPublicUrlPreFix(request);
+ if (!serviceURL.endsWith("/"))
+ serviceURL = serviceURL + "/";
+
+ String responseDestination = samlResponse.getDestination();
+ if (MiscUtil.isEmpty(responseDestination) ||
+ !responseDestination.equals(serviceURL + Constants.SERVLET_PVP2ASSERTION)) {
+ log.warn("PVPResponse destination does not match requested destination");
+ return Constants.STRUTS_ERROR;
+ }
+
+ //check if response is signed
Signature sign = samlResponse.getSignature();
if (sign == null) {
log.info("Only http POST Requests can be used");