From 3f3108fc808f53c3c8bc001de6ff19ce962bdc9b Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 18 Mar 2014 14:11:52 +0100
Subject: check if redirect target is an valid online-application

---
 .../moa/id/auth/servlet/RedirectServlet.java       | 25 +++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

(limited to 'id/server/idserverlib/src/main/java')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 7c51e7d6b..02028bf1a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -30,6 +30,9 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.URLEncoder;
@@ -45,12 +48,29 @@ public class RedirectServlet extends AuthServlet{
 	
 	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
 			throws ServletException, IOException {
-		Logger.info("Receive " + RedirectServlet.class + " Request");
+		Logger.debug("Receive " + RedirectServlet.class + " Request");
 		
 		String url = req.getParameter(REDIRCT_PARAM_URL);
 		String target = req.getParameter(PARAM_TARGET);
 		String artifact = req.getParameter(PARAM_SAMLARTIFACT);
 		
+		Logger.debug("Check URL against online-applications");
+		try {
+			OnlineApplication oa = ConfigurationDBRead.getActiveOnlineApplication(url);
+			if (oa == null) {		
+				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed.");
+				return;
+				
+			}
+		} catch (Throwable e) {
+			resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed.");
+			return;
+						
+		} finally {
+			ConfigurationDBUtils.closeSession();
+			
+		}
+					
 		Logger.info("Redirect to " + url);
 		
 		if (MiscUtil.isNotEmpty(target)) {
@@ -71,6 +91,9 @@ public class RedirectServlet extends AuthServlet{
 		PrintWriter out = new PrintWriter(resp.getOutputStream()); 
 		out.write(redirect_form);
 		out.flush();
+		
+
 	}
+	
 
 }
-- 
cgit v1.2.3