diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-03-19 12:17:32 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-03-19 12:17:32 +0100 |
commit | 76b43178f068650e8df40c3f7eb4993ff709499c (patch) | |
tree | 4b3a6eea8842115c532788bf09034b791f40ca06 /id/server/idserverlib/src/main/java/at/gv | |
parent | 0ebfb92d43e8333705c8058039d2334476d61f6c (diff) | |
download | moa-id-spss-76b43178f068650e8df40c3f7eb4993ff709499c.tar.gz moa-id-spss-76b43178f068650e8df40c3f7eb4993ff709499c.tar.bz2 moa-id-spss-76b43178f068650e8df40c3f7eb4993ff709499c.zip |
Add advanced parameter validation. Redirect is only allowed if Redirect URL maps to OA configuration.
Load redirectTarget from OA configuration.
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv')
2 files changed, 23 insertions, 5 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/RedirectFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/RedirectFormBuilder.java index e2a736330..2a5c8d418 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/RedirectFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/RedirectFormBuilder.java @@ -31,7 +31,8 @@ import at.gv.egovernment.moa.logging.Logger; public class RedirectFormBuilder { - private static String URL = "#URL#"; + private static String URL = "#URL#"; + private static String TARGET = "#TARGET#"; private static String template; private static String getTemplate() { @@ -53,9 +54,10 @@ public class RedirectFormBuilder { return template; } - public static String buildLoginForm(String url) { + public static String buildLoginForm(String url, String redirectTarget) { String value = getTemplate(); value = value.replace(URL, url); + value = value.replace(TARGET, redirectTarget); return value; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 02028bf1a..671151bbe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -54,14 +54,30 @@ public class RedirectServlet extends AuthServlet{ String target = req.getParameter(PARAM_TARGET); String artifact = req.getParameter(PARAM_SAMLARTIFACT); + if (MiscUtil.isEmpty(artifact)) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); + return; + } + Logger.debug("Check URL against online-applications"); + OnlineApplication oa = null; + String redirectTarget = "_parent"; try { - OnlineApplication oa = ConfigurationDBRead.getActiveOnlineApplication(url); + oa = ConfigurationDBRead.getActiveOnlineApplication(url); if (oa == null) { - resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed."); + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); return; + } else { + try { + redirectTarget = oa.getAuthComponentOA().getTemplates().getBKUSelectionCustomization().getAppletRedirectTarget(); + + } catch (Exception e) { + Logger.debug("Use default redirectTarget."); + } + } + } catch (Throwable e) { resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed."); return; @@ -85,7 +101,7 @@ public class RedirectServlet extends AuthServlet{ URLEncoder.encode(artifact, "UTF-8")); url = resp.encodeRedirectURL(url); - String redirect_form = RedirectFormBuilder.buildLoginForm(url); + String redirect_form = RedirectFormBuilder.buildLoginForm(url, redirectTarget); resp.setContentType("text/html;charset=UTF-8"); PrintWriter out = new PrintWriter(resp.getOutputStream()); |