diff options
Diffstat (limited to 'id/ConfigWebTool/src/main')
-rw-r--r-- | id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index 8004ab520..12bd4aff9 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -290,6 +290,19 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, } + //check response destination + String serviceURL = config.getPublicUrlPreFix(request); + if (!serviceURL.endsWith("/")) + serviceURL = serviceURL + "/"; + + String responseDestination = samlResponse.getDestination(); + if (MiscUtil.isEmpty(responseDestination) || + !responseDestination.equals(serviceURL + Constants.SERVLET_PVP2ASSERTION)) { + log.warn("PVPResponse destination does not match requested destination"); + return Constants.STRUTS_ERROR; + } + + //check if response is signed Signature sign = samlResponse.getSignature(); if (sign == null) { log.info("Only http POST Requests can be used"); |