update PVP Single LogOut request/response signature validation

1 files changed, 18 insertions, 1 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
index b7148a318..fe5cd1ac0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
@@ -63,6 +63,23 @@ public class IDPSingleLogOutServlet extends AuthServlet {
 	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
 			    throws ServletException, IOException {
 		Logger.debug("receive IDP SingleLogOut Request");
+		
+		String authURL = HTTPUtils.extractAuthURLFromRequest(req);
+		try {
+			if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {		
+				Logger.warn("Requested URL " + authURL + " is not in PublicPrefix Configuration");
+				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed");
+				return;
+			
+			}
+			
+		} catch (MOAIDException e) {
+			Logger.error("Internal Server Error.", e);
+			resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error");
+			return;
+			
+		}
+		
 		SSOManager ssomanager = SSOManager.getInstance();		
 		String ssoid = ssomanager.getSSOSessionID(req);
 		
@@ -110,7 +127,7 @@ public class IDPSingleLogOutServlet extends AuthServlet {
 						AuthenticationSession authSession = AuthenticationSessionStoreage
 								.getSession(moaSessionID);
 						if(authSession != null) {
-							authmanager.performSingleLogOut(req, resp, authSession, null);
+							authmanager.performSingleLogOut(req, resp, authSession, authURL);
 							return;
 							
 						}