aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2020-08-31 13:51:14 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2020-08-31 13:51:14 +0200
commit3ead2fee52a1e43e12610fda8175cb1a74e8b1f0 (patch)
tree8b3f52b6366b9d326704a125ebc9e4dc9b30b4d3 /id/server/idserverlib/src/main/java
parent8322112004a0334a5d73795760880e635813793b (diff)
downloadmoa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.gz
moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.bz2
moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.zip
update validation in case of file:/ paths because trusted templates can be relative to config directory
Diffstat (limited to 'id/server/idserverlib/src/main/java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java28
1 files changed, 24 insertions, 4 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index 065615666..0e468bb6b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -49,6 +49,7 @@ package at.gv.egovernment.moa.id.util;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.MalformedURLException;
+import java.net.URISyntaxException;
import java.net.URL;
import java.util.Collections;
import java.util.HashMap;
@@ -63,6 +64,7 @@ import javax.xml.parsers.ParserConfigurationException;
import org.xml.sax.SAXException;
import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -309,7 +311,7 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
}
}
- } catch (MalformedURLException | ConfigurationException e) {
+ } catch (MalformedURLException | ConfigurationException | URISyntaxException e) {
Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);
return false;
@@ -529,24 +531,42 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
}
private static boolean validateTemplateUrlToWhiteList(String template, List<String> oaSlTemplates)
- throws ConfigurationException {
+ throws ConfigurationException, MalformedURLException, URISyntaxException {
//check against configured trustet template urls
AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
//get OA specific template URLs
- if (oaSlTemplates != null && oaSlTemplates.size() > 0) {
+ if (oaSlTemplates != null && !oaSlTemplates.isEmpty()) {
for (String el : oaSlTemplates)
if (MiscUtil.isNotEmpty(el))
trustedTemplateURLs.add(el);
}
- boolean b = trustedTemplateURLs.contains(template);
+ boolean b = false;
+ if (template.startsWith("file:")) {
+ for (String el : trustedTemplateURLs) {
+ URL templateUrl = new URL(template);
+ URL trustedUrl = new URL(FileUtils.makeAbsoluteURL(el, authConf.getConfigurationRootDirectory()));
+ b = trustedUrl.equals(templateUrl);
+ if (b) {
+ break;
+ }
+ }
+
+ } else {
+ b = trustedTemplateURLs.contains(template);
+
+ }
+
+
if (b) {
Logger.debug("Parameter Template erfolgreich ueberprueft");
return true;
} else {
+ Logger.info("Template:" + template + " DOES NOT match to allowed templates: ["
+ + org.apache.commons.lang3.StringUtils.join(trustedTemplateURLs, ",") + "]");
Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. "
+ "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs "
+ "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");