diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-03-18 14:11:52 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-03-18 14:11:52 +0100 |
commit | 3f3108fc808f53c3c8bc001de6ff19ce962bdc9b (patch) | |
tree | a46b8d2c963a917d659610c9b8347faf16914905 /id/server/idserverlib/src/main/java/at/gv | |
parent | 7eedd2db839b71744b9bfacfc892b1a93fc55dbc (diff) | |
download | moa-id-spss-3f3108fc808f53c3c8bc001de6ff19ce962bdc9b.tar.gz moa-id-spss-3f3108fc808f53c3c8bc001de6ff19ce962bdc9b.tar.bz2 moa-id-spss-3f3108fc808f53c3c8bc001de6ff19ce962bdc9b.zip |
check if redirect target is an valid online-application
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 7c51e7d6b..02028bf1a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -30,6 +30,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLEncoder; @@ -45,12 +48,29 @@ public class RedirectServlet extends AuthServlet{ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - Logger.info("Receive " + RedirectServlet.class + " Request"); + Logger.debug("Receive " + RedirectServlet.class + " Request"); String url = req.getParameter(REDIRCT_PARAM_URL); String target = req.getParameter(PARAM_TARGET); String artifact = req.getParameter(PARAM_SAMLARTIFACT); + Logger.debug("Check URL against online-applications"); + try { + OnlineApplication oa = ConfigurationDBRead.getActiveOnlineApplication(url); + if (oa == null) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed."); + return; + + } + } catch (Throwable e) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed."); + return; + + } finally { + ConfigurationDBUtils.closeSession(); + + } + Logger.info("Redirect to " + url); if (MiscUtil.isNotEmpty(target)) { @@ -71,6 +91,9 @@ public class RedirectServlet extends AuthServlet{ PrintWriter out = new PrintWriter(resp.getOutputStream()); out.write(redirect_form); out.flush(); + + } + } |