aboutsummaryrefslogtreecommitdiff
path: root/id
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-01-25 13:46:07 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-01-25 13:46:07 +0100
commit4e9eaf03791445d3c91470e127af9a5f4bef8d82 (patch)
tree7fcd1ec9c1d089e8f1294a3819a05bf9c837f91c /id
parent75bde5bfee8ec932b2a8c0ce4cad11860b1ba450 (diff)
downloadmoa-id-spss-4e9eaf03791445d3c91470e127af9a5f4bef8d82.tar.gz
moa-id-spss-4e9eaf03791445d3c91470e127af9a5f4bef8d82.tar.bz2
moa-id-spss-4e9eaf03791445d3c91470e127af9a5f4bef8d82.zip
fix AuthnRequest validation: requested AssertionConsumerServiceURL MUST be equal to AssertionConsumerService in PVP metadata
Diffstat (limited to 'id')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java26
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java9
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties1
3 files changed, 31 insertions, 5 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 6ed3f0eb5..ee5685e5f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -623,10 +623,25 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
AssertionConsumerService consumerService = null;
if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) &&
MiscUtil.isNotEmpty(authnRequest.getProtocolBinding())) {
- //use AssertionConsumerServiceURL from request
- consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class);
- consumerService.setBinding(authnRequest.getProtocolBinding());
- consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL());
+ //use AssertionConsumerServiceURL from request
+
+ //check requested AssertionConsumingService URL against metadata
+ List<AssertionConsumerService> metadataAssertionServiceList = spSSODescriptor.getAssertionConsumerServices();
+ for (AssertionConsumerService service : metadataAssertionServiceList) {
+ if (authnRequest.getProtocolBinding().equals(service.getBinding())
+ && authnRequest.getAssertionConsumerServiceURL().equals(service.getLocation())) {
+ consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class);
+ consumerService.setBinding(authnRequest.getProtocolBinding());
+ consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL());
+ Logger.debug("Requested AssertionConsumerServiceURL is valid.");
+ }
+ }
+
+ if (consumerService == null) {
+ throw new InvalidAssertionConsumerServiceException(authnRequest.getAssertionConsumerServiceURL());
+
+ }
+
} else {
//use AssertionConsumerServiceIndex and select consumerService from metadata
@@ -645,9 +660,10 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
if (consumerService == null) {
throw new InvalidAssertionConsumerServiceException(aIdx);
- }
+ }
}
+
//select AttributeConsumingService from request
AttributeConsumingService attributeConsumer = null;
Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java
index 94a4e8226..392569366 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java
@@ -34,6 +34,15 @@ public class InvalidAssertionConsumerServiceException extends PVP2Exception {
/**
*
*/
+ public InvalidAssertionConsumerServiceException(String wrongURL) {
+ super("pvp2.23", new Object[]{wrongURL});
+ this.statusCodeValue = StatusCode.REQUESTER_URI;
+
+ }
+
+ /**
+ *
+ */
private static final long serialVersionUID = 7861790149343943091L;
}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index ceb701814..cabf1557e 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -266,6 +266,7 @@ pvp2.19=Der Single LogOut Vorgang musste wegen eines unkorregierbaren Fehler abg
pvp2.20=F\u00FCr die im Request angegebene EntityID konnten keine g\u00FCltigen Metadaten gefunden werden.
pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden.
pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler\={0}).
+pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht den Metadaten.
oauth20.01=Fehlerhafte redirect url
oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}"