aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java25
1 files changed, 24 insertions, 1 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 7c51e7d6b..02028bf1a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -30,6 +30,9 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.URLEncoder;
@@ -45,12 +48,29 @@ public class RedirectServlet extends AuthServlet{
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
- Logger.info("Receive " + RedirectServlet.class + " Request");
+ Logger.debug("Receive " + RedirectServlet.class + " Request");
String url = req.getParameter(REDIRCT_PARAM_URL);
String target = req.getParameter(PARAM_TARGET);
String artifact = req.getParameter(PARAM_SAMLARTIFACT);
+ Logger.debug("Check URL against online-applications");
+ try {
+ OnlineApplication oa = ConfigurationDBRead.getActiveOnlineApplication(url);
+ if (oa == null) {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed.");
+ return;
+
+ }
+ } catch (Throwable e) {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed.");
+ return;
+
+ } finally {
+ ConfigurationDBUtils.closeSession();
+
+ }
+
Logger.info("Redirect to " + url);
if (MiscUtil.isNotEmpty(target)) {
@@ -71,6 +91,9 @@ public class RedirectServlet extends AuthServlet{
PrintWriter out = new PrintWriter(resp.getOutputStream());
out.write(redirect_form);
out.flush();
+
+
}
+
}