From 76b43178f068650e8df40c3f7eb4993ff709499c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 19 Mar 2014 12:17:32 +0100 Subject: Add advanced parameter validation. Redirect is only allowed if Redirect URL maps to OA configuration. Load redirectTarget from OA configuration. --- .../moa/id/auth/builder/RedirectFormBuilder.java | 6 ++++-- .../moa/id/auth/servlet/RedirectServlet.java | 22 +++++++++++++++++++--- 2 files changed, 23 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/RedirectFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/RedirectFormBuilder.java index e2a736330..2a5c8d418 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/RedirectFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/RedirectFormBuilder.java @@ -31,7 +31,8 @@ import at.gv.egovernment.moa.logging.Logger; public class RedirectFormBuilder { - private static String URL = "#URL#"; + private static String URL = "#URL#"; + private static String TARGET = "#TARGET#"; private static String template; private static String getTemplate() { @@ -53,9 +54,10 @@ public class RedirectFormBuilder { return template; } - public static String buildLoginForm(String url) { + public static String buildLoginForm(String url, String redirectTarget) { String value = getTemplate(); value = value.replace(URL, url); + value = value.replace(TARGET, redirectTarget); return value; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 02028bf1a..671151bbe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -54,14 +54,30 @@ public class RedirectServlet extends AuthServlet{ String target = req.getParameter(PARAM_TARGET); String artifact = req.getParameter(PARAM_SAMLARTIFACT); + if (MiscUtil.isEmpty(artifact)) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); + return; + } + Logger.debug("Check URL against online-applications"); + OnlineApplication oa = null; + String redirectTarget = "_parent"; try { - OnlineApplication oa = ConfigurationDBRead.getActiveOnlineApplication(url); + oa = ConfigurationDBRead.getActiveOnlineApplication(url); if (oa == null) { - resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed."); + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); return; + } else { + try { + redirectTarget = oa.getAuthComponentOA().getTemplates().getBKUSelectionCustomization().getAppletRedirectTarget(); + + } catch (Exception e) { + Logger.debug("Use default redirectTarget."); + } + } + } catch (Throwable e) { resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed."); return; @@ -85,7 +101,7 @@ public class RedirectServlet extends AuthServlet{ URLEncoder.encode(artifact, "UTF-8")); url = resp.encodeRedirectURL(url); - String redirect_form = RedirectFormBuilder.buildLoginForm(url); + String redirect_form = RedirectFormBuilder.buildLoginForm(url, redirectTarget); resp.setContentType("text/html;charset=UTF-8"); PrintWriter out = new PrintWriter(resp.getOutputStream()); -- cgit v1.2.3