From b93dce9835884f005ff262de4882ffbca167fc04 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 2 Apr 2014 12:14:22 +0200 Subject: check response desination URL --- .../moa/id/configuration/struts/action/IndexAction.java | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index 8004ab520..12bd4aff9 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -290,6 +290,19 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, } + //check response destination + String serviceURL = config.getPublicUrlPreFix(request); + if (!serviceURL.endsWith("/")) + serviceURL = serviceURL + "/"; + + String responseDestination = samlResponse.getDestination(); + if (MiscUtil.isEmpty(responseDestination) || + !responseDestination.equals(serviceURL + Constants.SERVLET_PVP2ASSERTION)) { + log.warn("PVPResponse destination does not match requested destination"); + return Constants.STRUTS_ERROR; + } + + //check if response is signed Signature sign = samlResponse.getSignature(); if (sign == null) { log.info("Only http POST Requests can be used"); -- cgit v1.2.3