aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-03-31 07:48:47 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-03-31 07:48:47 +0200
commit8cb4ecdf1f2e120e4dcf3c1a4101206250028444 (patch)
treedaee978ef5c91fdaaa507535230697579d31562d /id/server/idserverlib/src
parent3d8670eaeda9bc6898a7658a9dd7c954d40b435d (diff)
downloadmoa-id-spss-8cb4ecdf1f2e120e4dcf3c1a4101206250028444.tar.gz
moa-id-spss-8cb4ecdf1f2e120e4dcf3c1a4101206250028444.tar.bz2
moa-id-spss-8cb4ecdf1f2e120e4dcf3c1a4101206250028444.zip
Allow only redirect to OAs from OA configuration
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java20
1 files changed, 19 insertions, 1 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
index 84732d4ce..a11601daa 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
@@ -54,6 +54,9 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
import at.gv.egovernment.moa.id.moduls.RequestStorage;
@@ -86,6 +89,16 @@ public class LogOutServlet extends AuthServlet {
//set default redirect Target
Logger.debug("Set default RedirectURL back to MOA-ID-Auth");
redirectUrl = AuthConfigurationProvider.getInstance().getPublicURLPrefix();
+
+ } else {
+ //return an error if RedirectURL is not a active Online-Applikation
+ OnlineApplication oa = ConfigurationDBRead.getActiveOnlineApplication(redirectUrl);
+ if (oa == null) {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
+ return;
+
+ }
+
}
if (ssomanager.isValidSSOSession(ssoid, req)) {
@@ -108,7 +121,12 @@ public class LogOutServlet extends AuthServlet {
ssomanager.deleteSSOSessionID(req, resp);
} catch (Exception e) {
- Logger.warn(LogOutServlet.class.getName() + " has an LogOut Error. Redirect to Applikation " + redirectUrl, e);
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed.");
+ return;
+
+ } finally {
+ ConfigurationDBUtils.closeSession();
+
}
//Redirect to Application