From ef72bd803121c3383ca9c8f0dd1c308c04963330 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 7 Mar 2014 13:58:05 +0100 Subject: check if InResponseTo match requestID --- .../configuration/struts/action/IndexAction.java | 43 +++++++++++----------- 1 file changed, 21 insertions(+), 22 deletions(-) (limited to 'id/ConfigWebTool/src/main') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index a51709e04..8004ab520 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -278,6 +278,18 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, Response samlResponse = (Response) messageContext.getInboundMessage(); + //ckeck InResponseTo matchs requestID + if (MiscUtil.isEmpty(authID)) { + log.info("NO AuthRequestID"); + return Constants.STRUTS_ERROR; + } + + if (!authID.equals(samlResponse.getInResponseTo())) { + log.warn("PVPRequestID does not match PVP2 Assertion ID!"); + return Constants.STRUTS_ERROR; + + } + Signature sign = samlResponse.getSignature(); if (sign == null) { log.info("Only http POST Requests can be used"); @@ -352,29 +364,9 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, saml2assertions = samlResponse.getAssertions(); } - - - if (MiscUtil.isEmpty(authID)) { - log.info("NO AuthRequestID"); - return Constants.STRUTS_ERROR; - } - + for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - - Subject subject = saml2assertion.getSubject(); - List subjectconformlist = subject.getSubjectConfirmations(); - for (SubjectConfirmation el : subjectconformlist) { - if (el.getMethod().equals(SubjectConfirmation.METHOD_BEARER)) { - SubjectConfirmationData date = el.getSubjectConfirmationData(); - - if (!authID.equals(date.getInResponseTo())) { - log.warn("PVPRequestID does not match PVP2 Assertion ID!"); - return Constants.STRUTS_ERROR; - - } - } - } - + Conditions conditions = saml2assertion.getConditions(); DateTime notbefore = conditions.getNotBefore(); DateTime notafter = conditions.getNotOnOrAfter(); @@ -383,6 +375,13 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, return Constants.STRUTS_ERROR; } + + Subject subject = saml2assertion.getSubject(); + if (subject == null) { + log.warn("Assertion has no Subject element"); + return Constants.STRUTS_ERROR; + + } NameID nameID = subject.getNameID(); if (nameID == null) { -- cgit v1.2.3