cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: Minor update to the collocated RequestAssertionService to prevent it reading regular POST form payloads and block PUT/etc requests
Date Tue, 29 Apr 2014 20:05:08 GMT
Repository: cxf
Updated Branches:
  refs/heads/2.7.x-fixes f2e293f87 -> a54d32972


Minor update to the collocated RequestAssertionService to prevent it reading regular POST
form payloads and block PUT/etc requests


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a54d3297
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a54d3297
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a54d3297

Branch: refs/heads/2.7.x-fixes
Commit: a54d32972e7a608532570c2215d7c09881613d45
Parents: f2e293f
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Apr 29 21:02:04 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Apr 29 21:04:04 2014 +0100

----------------------------------------------------------------------
 .../sso/RequestAssertionConsumerFilter.java     | 25 +++++++++++++-------
 1 file changed, 16 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a54d3297/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java
index d609215..7cdd21f 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/RequestAssertionConsumerFilter.java
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.rs.security.saml.sso;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 
 import javax.ws.rs.BindingPriority;
@@ -27,7 +28,6 @@ import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
-import javax.ws.rs.core.Response;
 
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
@@ -37,24 +37,28 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 public class RequestAssertionConsumerFilter extends AbstractRequestAssertionConsumerHandler

     implements ContainerRequestFilter {
 
+    private boolean supportPostBinding;
+    
     @Override
     public void filter(ContainerRequestContext ct) throws IOException {
         String httpMethod = ct.getMethod();
-        if (HttpMethod.GET.equals(httpMethod)) {
+        if (HttpMethod.GET.equals(httpMethod) && !supportPostBinding) {
             MultivaluedMap<String, String> params = ct.getUriInfo().getQueryParameters();
             processParams(ct, params, false);
-        } else if (HttpMethod.POST.equals(httpMethod) 
+        } else if (HttpMethod.POST.equals(httpMethod)
+            && supportPostBinding
             && MediaType.APPLICATION_FORM_URLENCODED_TYPE.isCompatible(ct.getMediaType()))
{
             String strForm = IOUtils.toString(ct.getEntityStream());
             MultivaluedMap<String, String> params = JAXRSUtils.getStructuredParams(strForm,
"&", false, false);
-            processParams(ct, params, true);
-        } else {
-            ct.abortWith(Response.status(400).build());
+            if (!processParams(ct, params, true)) {
+                // restore the stream
+                ct.setEntityStream(new ByteArrayInputStream(strForm.getBytes()));
+            }
         }
         
     }
     
-    protected void processParams(ContainerRequestContext ct,
+    protected boolean processParams(ContainerRequestContext ct,
                                  MultivaluedMap<String, String> params, 
                                  boolean postBinding) {
         String encodedSamlResponse = params.getFirst(SSOConstants.SAML_RESPONSE);
@@ -62,10 +66,13 @@ public class RequestAssertionConsumerFilter extends AbstractRequestAssertionCons
         if (relayState == null && encodedSamlResponse == null) { 
             // initial redirect to IDP has not happened yet, let the SAML authentication
filter do it
             JAXRSUtils.getCurrentMessage().put(SSOConstants.RACS_IS_COLLOCATED, Boolean.TRUE);
-            return;
+            return false;
         }
         ct.abortWith(doProcessSamlResponse(encodedSamlResponse, relayState, postBinding));
-        
+        return true;
+    }
+    public void setSupportPostBinding(boolean supportPostBinding) {
+        this.supportPostBinding = supportPostBinding;
     }
     
 }


Mime
View raw message