aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
Diffstat (limited to 'id/server')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java20
1 files changed, 15 insertions, 5 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 379a16a96..85fb1626f 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -196,23 +196,33 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
samlReq.setPersonalAttributeList(pendingReq.getEidasRequestedAttributes()); // circumvent non-serializable eidas personal attribute list
pendingReq.setEidasRequest(samlReq);
- //validate destination against metadata
+ //validate Destination against MOA-ID-Auth configuration
String reqDestination = samlReq.getDestination();
- if (MiscUtil.isNotEmpty(reqDestination)) {
+ if (MiscUtil.isEmpty(reqDestination) ||
+ !reqDestination.startsWith(pendingReq.getAuthURL())) {
+ Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
+ throw new eIDASAuthnRequestValidationException("stork.01",
+ new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
+
+ }
+
+ //validate AssertionConsumerServiceURL against metadata
+ String reqAssertionConsumerServiceURL = samlReq.getAssertionConsumerServiceURL();
+ if (MiscUtil.isNotEmpty(reqAssertionConsumerServiceURL)) {
boolean isValid = false;
List<AssertionConsumerService> allowedAssertionConsumerUrl = new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider)
.getSPSSODescriptor(samlReq.getIssuer()).getAssertionConsumerServices();
for (AssertionConsumerService el : allowedAssertionConsumerUrl) {
- if (reqDestination.equals(el.getLocation()))
+ if (reqAssertionConsumerServiceURL.equals(el.getLocation()))
isValid = true;
}
if (!isValid) {
- Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
+ Logger.info("eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute");
throw new eIDASAuthnRequestValidationException("stork.01",
- new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
+ new Object[]{"eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute"});
}
}