cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Make the client address optional for SAML SSO
Date Thu, 03 Aug 2017 09:33:46 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes e7a890acf -> 726e6190d


Make the client address optional for SAML SSO


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/726e6190
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/726e6190
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/726e6190

Branch: refs/heads/3.1.x-fixes
Commit: 726e6190d54643d4bcd84f876f9d051a7376f398
Parents: e7a890a
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Aug 3 10:32:22 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Aug 3 10:32:45 2017 +0100

----------------------------------------------------------------------
 .../sso/AbstractRequestAssertionConsumerHandler.java | 15 +++++++++++++--
 .../security/saml/sso/SAMLSSOResponseValidator.java  |  2 +-
 2 files changed, 14 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/726e6190/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
index 9c13637..6039a1e 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
@@ -66,6 +66,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS
     private boolean enforceAssertionsSigned = true;
     private boolean enforceKnownIssuer = true;
     private boolean keyInfoMustBeAvailable = true;
+    private boolean checkClientAddress = true;
     private boolean enforceResponseSigned;
     private TokenReplayCache<String> replayCache;
 
@@ -343,8 +344,10 @@ public abstract class AbstractRequestAssertionConsumerHandler extends
AbstractSS
             }
             ssoResponseValidator.setAssertionConsumerURL(racsAddress);
 
-            ssoResponseValidator.setClientAddress(
-                 messageContext.getHttpServletRequest().getRemoteAddr());
+            if (checkClientAddress) {
+                ssoResponseValidator.setClientAddress(
+                    messageContext.getHttpServletRequest().getRemoteAddr());
+            }
 
             ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
             ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
@@ -416,4 +419,12 @@ public abstract class AbstractRequestAssertionConsumerHandler extends
AbstractSS
         this.assertionConsumerServiceAddress = assertionConsumerServiceAddress;
     }
 
+    public boolean isCheckClientAddress() {
+        return checkClientAddress;
+    }
+
+    public void setCheckClientAddress(boolean checkClientAddress) {
+        this.checkClientAddress = checkClientAddress;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/726e6190/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 25083c1..d060671 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -245,7 +245,7 @@ public class SAMLSSOResponseValidator {
         }
         
         // Check address
-        if (subjectConfData.getAddress() != null
+        if (subjectConfData.getAddress() != null && clientAddress != null
             && !subjectConfData.getAddress().equals(clientAddress)) {
             LOG.fine("Subject Conf Data address " + subjectConfData.getAddress() + " does
match"
                      + " client address " + clientAddress);


Mime
View raw message