1 files changed, 24 insertions, 7 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index a00de1da0..e5a8bb739 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -23,6 +23,7 @@
 package at.gv.egovernment.moa.id.auth.servlet;
 
 import java.io.IOException;
+import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -33,14 +34,14 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
+import at.gv.egiz.eaaf.core.api.gui.IGUIFormBuilder;
+import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils;
 import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration;
-import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.moduls.SSOManager;
-import at.gv.egovernment.moa.id.util.HTTPUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.URLEncoder;
@@ -57,8 +58,9 @@ public class RedirectServlet {
 	private static final String URL = "URL";
 	private static final String TARGET = "TARGET";
 	
-	@Autowired SSOManager ssoManager;
-	@Autowired IGUIFormBuilder guiBuilder;
+	@Autowired(required=true) SSOManager ssoManager;
+	@Autowired(required=true) IGUIFormBuilder guiBuilder;
+	@Autowired(required=true) private AuthConfiguration authConfig;
 	
 	@RequestMapping(value = "/RedirectServlet", method = RequestMethod.GET)
 	public void performLogOut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
@@ -78,10 +80,13 @@ public class RedirectServlet {
 			
 			//url = URLDecoder.decode(url, "UTF-8");
 			
-			oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);
+			oa = authConfig.getServiceProviderConfiguration(url, IOAAuthParameters.class);
 			String authURL = HTTPUtils.extractAuthURLFromRequest(req);
 			
-			if (oa == null || !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {		
+			List<String> allowedPublicUrlPrefixes = authConfig.getPublicURLPrefix();
+			
+			if ((oa == null && !checkRedirectToItself(url, allowedPublicUrlPrefixes)) 
+					|| !authConfig.getPublicURLPrefix().contains(authURL)) {		
 				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
 				return;
 				
@@ -166,5 +171,17 @@ public class RedirectServlet {
 		}
 		
 	}
+
+	private boolean checkRedirectToItself(String url, List<String> allowedPublicUrlPrefixes) {
+		if (url != null) {		
+			for (String el : allowedPublicUrlPrefixes) {
+				if (url.startsWith(el))
+					return true;
+			
+			}
+		}
+		
+		return false;
+	}
 	
 }