diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java index 09b3ae15f..6e285a2c0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java @@ -24,7 +24,10 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; + import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; @@ -70,6 +73,12 @@ public class SelectBKUServlet extends AuthServlet { throws ServletException, IOException { Logger.debug("GET SelectBKU"); + + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + String authURL = req.getScheme() + "://" + req.getServerName(); if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) { authURL = authURL.concat(":" + req.getServerPort()); @@ -80,6 +89,14 @@ public class SelectBKUServlet extends AuthServlet { String oaURL = req.getParameter(PARAM_OA); String bkuSelectionTemplateURL = req.getParameter(PARAM_BKUTEMPLATE); String templateURL = req.getParameter(PARAM_TEMPLATE); + + // escape parameter strings + target = StringEscapeUtils.escapeHtml(target); + oaURL = StringEscapeUtils.escapeHtml(oaURL); + templateURL = StringEscapeUtils.escapeHtml(templateURL); + bkuSelectionTemplateURL = StringEscapeUtils.escapeHtml(bkuSelectionTemplateURL); + + resp.setHeader(HEADER_EXPIRES,HEADER_VALUE_EXPIRES); resp.setHeader(HEADER_PRAGMA,HEADER_VALUE_PRAGMA); resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL); @@ -89,11 +106,13 @@ public class SelectBKUServlet extends AuthServlet { // check parameter if (!ParamValidatorUtils.isValidTarget(target)) - throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); + throw new WrongParametersException("SelectBKU", PARAM_TARGET, "auth.12"); if (!ParamValidatorUtils.isValidOA(oaURL)) - throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); - if (!ParamValidatorUtils.isValidTemplate(templateURL)) - throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); + throw new WrongParametersException("SelectBKU", PARAM_OA, "auth.12"); + if (!ParamValidatorUtils.isValidTemplate(req, templateURL)) + throw new WrongParametersException("SelectBKU", PARAM_TEMPLATE, "auth.12"); + if (!ParamValidatorUtils.isValidTemplate(req, bkuSelectionTemplateURL)) + throw new WrongParametersException("SelectBKU", PARAM_TEMPLATE, "auth.12"); String returnValue = AuthenticationServer.getInstance().selectBKU( |