From 4b9879c26d61ddb24cb0a4be98e8911b62156323 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 18 Nov 2016 13:03:32 +0100 Subject: fix bug in servlet --- .../gv/egovernment/moa/id/auth/servlet/RedirectServlet.java | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 3eaede028..1848fa6f7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -27,6 +27,7 @@ import java.io.IOException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @@ -70,10 +71,13 @@ public class RedirectServlet { IOAAuthParameters oa = null; String redirectTarget = DEFAULT_REDIRECTTARGET; try { + //validate URL + new java.net.URL(url); + oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url); String authURL = HTTPUtils.extractAuthURLFromRequest(req); - if (oa == null && !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) { + if (oa == null || !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) { resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); return; @@ -90,7 +94,7 @@ public class RedirectServlet { } Logger.info("Redirect to " + url); - + if (MiscUtil.isNotEmpty(target)) { // redirectURL = addURLParameter(redirectURL, PARAM_TARGET, // URLEncoder.encode(session.getTarget(), "UTF-8")); @@ -108,7 +112,7 @@ public class RedirectServlet { authURL, DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT, null); - config.putCustomParameter(URL, url); + config.putCustomParameter(URL, StringEscapeUtils.escapeHtml(url)); config.putCustomParameter(TARGET, redirectTarget); guiBuilder.build(resp, config, "RedirectForm.html"); @@ -123,14 +127,13 @@ public class RedirectServlet { resp.setStatus(HttpServletResponse.SC_FOUND); resp.addHeader("Location", url); - } else { Logger.debug("Redirect to " + url); DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( authURL, DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT, null); - config.putCustomParameter(URL, url); + config.putCustomParameter(URL, StringEscapeUtils.escapeHtml(url)); guiBuilder.build(resp, config, "RedirectForm.html"); } -- cgit v1.2.3 From 1ee287cf9d5aa2a2199724252bc331e851eb3669 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 25 Nov 2016 07:45:10 +0100 Subject: fix problem in SAML2 credential provider that selects a wrong keyStore --- .../moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java index 77cc7228b..df4866c30 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java @@ -41,7 +41,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public abstract class AbstractCredentialProvider { - private static KeyStore keyStore = null; + private KeyStore keyStore = null; /** * Get a friendlyName for this keyStore implementation -- cgit v1.2.3