diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-03-31 07:48:47 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-03-31 07:48:47 +0200 |
commit | 8cb4ecdf1f2e120e4dcf3c1a4101206250028444 (patch) | |
tree | daee978ef5c91fdaaa507535230697579d31562d /id/server | |
parent | 3d8670eaeda9bc6898a7658a9dd7c954d40b435d (diff) | |
download | moa-id-spss-8cb4ecdf1f2e120e4dcf3c1a4101206250028444.tar.gz moa-id-spss-8cb4ecdf1f2e120e4dcf3c1a4101206250028444.tar.bz2 moa-id-spss-8cb4ecdf1f2e120e4dcf3c1a4101206250028444.zip |
Allow only redirect to OAs from OA configuration
Diffstat (limited to 'id/server')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index 84732d4ce..a11601daa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -54,6 +54,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.RequestStorage; @@ -86,6 +89,16 @@ public class LogOutServlet extends AuthServlet { //set default redirect Target Logger.debug("Set default RedirectURL back to MOA-ID-Auth"); redirectUrl = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); + + } else { + //return an error if RedirectURL is not a active Online-Applikation + OnlineApplication oa = ConfigurationDBRead.getActiveOnlineApplication(redirectUrl); + if (oa == null) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); + return; + + } + } if (ssomanager.isValidSSOSession(ssoid, req)) { @@ -108,7 +121,12 @@ public class LogOutServlet extends AuthServlet { ssomanager.deleteSSOSessionID(req, resp); } catch (Exception e) { - Logger.warn(LogOutServlet.class.getName() + " has an LogOut Error. Redirect to Applikation " + redirectUrl, e); + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed."); + return; + + } finally { + ConfigurationDBUtils.closeSession(); + } //Redirect to Application |