Add advanced parameter validation. Redirect is only allowed if Redirect URL maps to OA configuration.

Load redirectTarget from OA configuration.
author: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-03-19 12:17:32 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-03-19 12:17:32 +0100
commit: 76b43178f068650e8df40c3f7eb4993ff709499c (patch)
tree: 4b3a6eea8842115c532788bf09034b791f40ca06 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
parent: 0ebfb92d43e8333705c8058039d2334476d61f6c (diff)
download: moa-id-spss-76b43178f068650e8df40c3f7eb4993ff709499c.tar.gz
moa-id-spss-76b43178f068650e8df40c3f7eb4993ff709499c.tar.bz2
moa-id-spss-76b43178f068650e8df40c3f7eb4993ff709499c.zip
1 files changed, 19 insertions, 3 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 02028bf1a..671151bbe 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -54,14 +54,30 @@ public class RedirectServlet extends AuthServlet{
 		String target = req.getParameter(PARAM_TARGET);
 		String artifact = req.getParameter(PARAM_SAMLARTIFACT);
 		
+		if (MiscUtil.isEmpty(artifact)) {
+			resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
+			return;
+		}
+		
 		Logger.debug("Check URL against online-applications");
+		OnlineApplication oa = null;
+		String redirectTarget = "_parent";
 		try {
-			OnlineApplication oa = ConfigurationDBRead.getActiveOnlineApplication(url);
+			oa = ConfigurationDBRead.getActiveOnlineApplication(url);			
 			if (oa == null) {		
-				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed.");
+				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
 				return;
 				
+			} else {
+				try {
+					redirectTarget = oa.getAuthComponentOA().getTemplates().getBKUSelectionCustomization().getAppletRedirectTarget();
+					
+				} catch (Exception e) {
+					Logger.debug("Use default redirectTarget.");
+				}
+				
 			}
+			
 		} catch (Throwable e) {
 			resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed.");
 			return;
@@ -85,7 +101,7 @@ public class RedirectServlet extends AuthServlet{
 				URLEncoder.encode(artifact, "UTF-8"));
 		url = resp.encodeRedirectURL(url);
 		
-		String redirect_form = RedirectFormBuilder.buildLoginForm(url);
+		String redirect_form = RedirectFormBuilder.buildLoginForm(url, redirectTarget);
 		
 		resp.setContentType("text/html;charset=UTF-8");
 		PrintWriter out = new PrintWriter(resp.getOutputStream());
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-03-19 12:17:32 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-03-19 12:17:32 +0100
commit	76b43178f068650e8df40c3f7eb4993ff709499c (patch)
tree	4b3a6eea8842115c532788bf09034b791f40ca06 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
parent	0ebfb92d43e8333705c8058039d2334476d61f6c (diff)
download	moa-id-spss-76b43178f068650e8df40c3f7eb4993ff709499c.tar.gz moa-id-spss-76b43178f068650e8df40c3f7eb4993ff709499c.tar.bz2 moa-id-spss-76b43178f068650e8df40c3f7eb4993ff709499c.zip