aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java19
1 files changed, 17 insertions, 2 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index c77542b4a..e5a8bb739 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.auth.servlet;
import java.io.IOException;
+import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -40,7 +41,6 @@ import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -83,7 +83,10 @@ public class RedirectServlet {
oa = authConfig.getServiceProviderConfiguration(url, IOAAuthParameters.class);
String authURL = HTTPUtils.extractAuthURLFromRequest(req);
- if (oa == null || !authConfig.getPublicURLPrefix().contains(authURL)) {
+ List<String> allowedPublicUrlPrefixes = authConfig.getPublicURLPrefix();
+
+ if ((oa == null && !checkRedirectToItself(url, allowedPublicUrlPrefixes))
+ || !authConfig.getPublicURLPrefix().contains(authURL)) {
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
return;
@@ -168,5 +171,17 @@ public class RedirectServlet {
}
}
+
+ private boolean checkRedirectToItself(String url, List<String> allowedPublicUrlPrefixes) {
+ if (url != null) {
+ for (String el : allowedPublicUrlPrefixes) {
+ if (url.startsWith(el))
+ return true;
+
+ }
+ }
+
+ return false;
+ }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-03 00:54:12 +0000