From 8cb4ecdf1f2e120e4dcf3c1a4101206250028444 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 31 Mar 2014 07:48:47 +0200
Subject: Allow only redirect to OAs from OA configuration

---
 .../moa/id/auth/servlet/LogOutServlet.java           | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'id')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
index 84732d4ce..a11601daa 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
@@ -54,6 +54,9 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
 import at.gv.egovernment.moa.id.moduls.RequestStorage;
@@ -86,6 +89,16 @@ public class LogOutServlet extends AuthServlet {
 			//set default redirect Target
 			Logger.debug("Set default RedirectURL back to MOA-ID-Auth");
 			redirectUrl = AuthConfigurationProvider.getInstance().getPublicURLPrefix();
+			
+		} else {
+			//return an error if RedirectURL is not a active Online-Applikation
+			OnlineApplication oa = ConfigurationDBRead.getActiveOnlineApplication(redirectUrl);			
+			if (oa == null) {		
+				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
+				return;
+				
+			}
+			
 		}
 		
 		if (ssomanager.isValidSSOSession(ssoid, req)) {
@@ -108,7 +121,12 @@ public class LogOutServlet extends AuthServlet {
 		ssomanager.deleteSSOSessionID(req, resp);
 		
 	} catch (Exception e) {
-		Logger.warn(LogOutServlet.class.getName() + " has an LogOut Error. Redirect to Applikation " + redirectUrl, e);
+		resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed.");
+		return;
+		
+	} finally {
+		ConfigurationDBUtils.closeSession();
+		
 	}
 		
 	//Redirect to Application
-- 
cgit v1.2.3