aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool/src/main/java/at/gv
diff options
context:
space:
mode:
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java13
1 files changed, 13 insertions, 0 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index 8004ab520..12bd4aff9 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -290,6 +290,19 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
}
+ //check response destination
+ String serviceURL = config.getPublicUrlPreFix(request);
+ if (!serviceURL.endsWith("/"))
+ serviceURL = serviceURL + "/";
+
+ String responseDestination = samlResponse.getDestination();
+ if (MiscUtil.isEmpty(responseDestination) ||
+ !responseDestination.equals(serviceURL + Constants.SERVLET_PVP2ASSERTION)) {
+ log.warn("PVPResponse destination does not match requested destination");
+ return Constants.STRUTS_ERROR;
+ }
+
+ //check if response is signed
Signature sign = samlResponse.getSignature();
if (sign == null) {
log.info("Only http POST Requests can be used");