cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/4] cxf-fediz git commit: SAML SSO Address validation fix
Date Thu, 08 Dec 2016 17:03:13 GMT
SAML SSO Address validation fix


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a4ba9889
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a4ba9889
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a4ba9889

Branch: refs/heads/master
Commit: a4ba98893738008adddce4061278cd48a82da756
Parents: 9d2805f
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Dec 8 17:02:54 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Dec 8 17:02:54 2016 +0000

----------------------------------------------------------------------
 .../webapp/WEB-INF/flows/federation-signin-request.xml    |  8 ++++----
 .../src/main/webapp/WEB-INF/flows/saml-signin-request.xml | 10 +++++++---
 2 files changed, 11 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a4ba9889/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
index 6051182..8c908c7 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
@@ -94,13 +94,13 @@
             expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or
                         wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm,
flowRequestContext)" />
         <transition on="yes" to="redirectToTrustedIDP" />
-        <transition on="no" to="validateWReply" >
+        <transition on="no" to="validateReturnAddress" >
             <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]"
/>
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
     </action-state>
     
-    <action-state id="validateWReply">
+    <action-state id="validateReturnAddress">
         <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)
                               and passiveRequestorValidator.isValid(flowRequestContext, flowScope.wreply,
flowScope.wtrealm)"/>
         <transition on="yes" to="requestRpToken" />
@@ -134,7 +134,7 @@
             expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or
                         wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm,
flowRequestContext)" />
         <transition on="yes" to="redirectToLocalIDP" />
-        <transition on="no" to="validateWReply">
+        <transition on="no" to="validateReturnAddress">
             <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]"
/>
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
@@ -151,7 +151,7 @@
     <action-state id="cacheSecurityToken">
         <secured attributes="IS_AUTHENTICATED_FULLY" />
         <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
-        <transition to="validateWReply">
+        <transition to="validateReturnAddress">
             <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]"
/>
         </transition>
     </action-state>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a4ba9889/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index 59ea18b..f167198 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -91,14 +91,18 @@
             expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
                         or authnRequestParser.isForceAuthentication(flowRequestContext)"
/>
         <transition on="yes" to="redirectToTrustedIDP" />
-        <transition on="no" to="validateWReply" >
+        <transition on="no" to="validateReturnAddress" >
             <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
     </action-state>
     
-    <action-state id="validateWReply">
-        <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)
+    <action-state id="validateReturnAddress">
+        <on-entry>
+            <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)"

+                      result="flowScope.consumerURL"/>
+        </on-entry>
+        <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.consumerURL)
                               and passiveRequestorValidator.isValid(flowRequestContext, flowScope.consumerURL,
flowScope.realm)"/>
         <transition on="yes" to="requestRpToken" />
         <transition on="no" to="viewBadRequest" />


Mime
View raw message