From 72e86431b59c466673214d330bbd9baa295449cf Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 4 Nov 2016 09:51:26 +0100 Subject: add hostname validation to httpclient 3.1, which is assumed by openSAML 2.x --- .../moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java | 5 ++++- .../egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java | 6 +++++- 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java index c0ba1d96d..d5c7d9100 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java @@ -66,13 +66,16 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ if (metadataURL.startsWith("https:")) { try { + //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( PVPConstants.SSLSOCKETFACTORYNAME, AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(), - AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder()); + AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(), + AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false)); httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java index 0d1f54249..e02ecb662 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java @@ -35,6 +35,7 @@ import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; @@ -70,6 +71,7 @@ public class MOASAMLSOAPClient { HttpClientBuilder clientBuilder = new HttpClientBuilder(); if (destination.startsWith("https")) { try { + //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 SecureProtocolSocketFactory sslprotocolsocketfactory = new MOAHttpProtocolSocketFactory( PVPConstants.SSLSOCKETFACTORYNAME, @@ -77,7 +79,9 @@ public class MOASAMLSOAPClient { null, AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(), - AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder()); + AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(), + AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false)); clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory ); } catch (MOAHttpProtocolSocketFactoryException e) { -- cgit v1.2.3